Kay Hayen wrote: 
No, when opening the socket the to the sub deamon audisp. I couldn't convice 
myself how the API would work with a socket. Does it?

The auparse library can read a stream by opening the parser with AUSOURCE_FEED, you set a callback, then feed arbitrary number of bytes into the parser by calling auparse_feed(), you'll be called back when a complete event is found, at that point just use the normal auparse functions.

You can read off of this unix socket (/var/run/audispd_events) but this is deprecated. It is now preferred is now to use a audispd plugin and read from stdin. See the audit src package and look in audisp/plugins for examples. FWIW I noticed that code was calling fgets to get data to feed to auparse_feed() but it seems inefficient to buffer lines twice, auparse_feed will do the line protocol.
I read that as that we can use the netlink socket with the libaudit directly, 
which sort of could be exactly what we want. That would mean we wouldn't use 
audit user space (processes) at all, right?
No, you really want to use the user space interface (see above).
  
You have 4 points to get the audit stream, in order of distance from the
event generation: the audit netlink socket, auditd realtime interface,
audisp plugin interface, and the af_unix socket created by the af_unix
plugin from audispd. For higher reliability where you don't want of need
any other audit processing interfering, I would say use either of the first
2.
    

The latency is getting higher with each step. For optimal performance we would 
listen to the netlink socket and duplicate only the code essential to process 
what we are interested it. 

For extra points and hurt, we would do it in Ada and inside the target 
process, really achieving the low latency. It may be the only realistic 
option, but it also feels like duplication of effort. We have done netlink 
interfaces in Ada before, but also have on our mind that it was said that the 
netlink interface was said (not by you) to be still in flux. Is that still 
true?

It certainly would be nice if the audisp had some form of output that can be 
fed directly into libaudit parsing as it comes in. But that may be an 
unrealistic expectation, is it?
It does, see above comment.


-- 
John Dennis <jdennis@redhat.com>