> Well, collecting the data is just the first step,
> no point asking about alarming if the data
> collection isn't being done ;)
>
>
> >> Or for that matter, a series of events?
> >>
> >> And how would this be done in real time?
> >>
> >
> > You'd write an auditd plugin.
> >
> > Real time alarming (i.e. noticing a set of events and taking
> > some action) is a future project. Unless you're looking to
> > do it as part of IPFilter.....
> >
>
> Which plugin interfaces would be used?
The Contracted Project Private ones from PSARC/2002/150
We'd love to get enough experience with them to be able
to raise the commitment level. Would you like to be the
first non-Audit team member to use them? If so, see me ;-)
> The man page for auditd talks about audit_warn,
> but there is no suggestion of any plugin capabilities.
See audit_control(4) which describes how to configure
auditd to use particular plugins. See audit_binfile(5)
and audit_syslog(5) for the existant plugins.
> Well, I'm not interested in cron jobs or needing to run
OK, then I suspect we'll either have to work on a specific
auditd plugin for you, or you'll have to wait till we do the
general alarming plugin for your project. Or as Nico hinted
you could do a specialized PAM service module. Architecturally
ugly, but would work. The architecurally cleanest today (well
really tomorrow) is a auditd plugin, or a daemon that counted
change events to the current audit trail file and looked at
what was going on if it got too many in a short time.
Gary..
