Re: Audit for live supervision
On Tuesday 19 August 2008 13:46:14 Kay Hayen wrote:
> No, you really want to use the user space interface (see
above).
Well, for lowest latency possible (note the "live" in subject), it would be
ideal to avoid context switches auditd -> audisp -> our supervisor and
instead simply run an additional netlink socket in addition to auditd (if
that is allowed). That way we would have a lot less latency, at least in
theory.
Only 1 netlink socket connection is allowed. The code you want to write for
low latency would either need to take the place of the audit daemon, meaning
you need to make your own trail if you need it. Or, write an audispd that is
run from auditd. There is some sample code here contrib/skeleton.c for
starting your own audispd.
-Steve