Audit dispatcher process

Steve has asked me to write the audit dispatcher, and after talking about it we already have some plans (as you'll see below :) but we would welcome input from people on this list. First to bring you all up to speed with what we know: . Development should be starting soon. . It will, at least initially, be distributed as part of the audit package. . We are planning to have a usable version for Fedora 7. . That initial version will be able to act as the dispatcher for auditd and (re-)send those messages to multiple plugins. . Those plugins can be shipped separately. ...and what seems very likely: . The plugins will be external applications. . The dispatcher itself will not be parsing audit messages and will be designed as a kind of Publish/Subscribe daemon. . In that vein, reuse of code from And-httpd/Vstr/etc.[1] is more than very likely. . The dispatcher will only be doing minimal content filtering for the plugins (this kind of falls out from the minimal parsing). . That message input will come from plugins, as well as the output. . They'll be a mode for the plugin to run in where it speaks a mini-protocol with the dispatcher, instead of just getting raw messages from auditd. . That the mini-protocol will allow "commands" to go back to the dispatcher (think remote server says "out of disk space, do X" or IDS says "attack happening from IP block X/y, do Z"). . The initial set of plugins will contain at least something to connect the dispatcher to setroubleshootd and something for (secure) remote logging. I've probably missed something already, so if there's anything you want that isn't on the above list or anything that isn't clear and you want to clarify ... just hit reply :). [1] http://www.and.org/and-httpd/ and http://www.and.org/vstr/ -- James Antill - <james.antill(a)redhat.com&gt; setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...); setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...); setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, ...);