Distributed Audit Daemon
Abstract
The basic idea behind this project is to implement secure and reliable log file shipping to remote hosts. While the implementation focuses on audit logs, the goal is to build tools that will make it possible to perform distributed logging for any application by using a simple API and linking with a shared library.
Implementation
Basics
We have very simple API with only one function call:
dlogd_submit (const char * pathname, const char * keyword)
pathname specifies which file we're going to submit
keyword is the magic word which identifies what type of log file is it (for example, it could be "audit" or "ASsd23")
There're two type of communication: local when we pass pathname and keyword to daemon, and remote when we deliver logfile to remote host. I will refer to daemon as client when local communication takes place (receiving keyword and pathname from another proccess), and i will refer to daemon as server when remote communication takes place (receive logfile from remote host).
Client implementation
Configuration
Example configuration for client:
keyword "audit" {
group "wheel";
uid "1001";
host "192.168.0.1";
}
host "192.168.0.1" {
}This specifies description for keyword "audit". We allow submitting logs with keyword "audit" to user which uid is 1001 or his group is "wheel". Also we order to deliver logs with this keyword to host which have IP 192.168.0.1.
Implementation
We use UNIX Domain Sockets for IPC here. When we receive keyword and pathname from socket, we check remote credentials to see if user has access for submitting logs with specified keyword. If authentication went OK we will link original file to spool.
Spool implementation
General spool structure is /var/spool/dlogd/<keyword>/<timestamp>.<filename>. So if we will get /var/log/dmesg.today pathname with boot keyword it will be linked to /var/spool/dlogd/boot/ 1184827423.dmesg.today (if it was submitted at 1184827423 which is Thu Jul 19 06:43:43 UTC 2007).
We have two threads. One listens on socket and adds files to spool, second goes through spool and sends pending files out.
Server implementation
Configuration
Example configuration for server:
keyword "audit" {
host "192.168.0.1" dir "/var/log/remote/host1/audit";
}
host "192.168.0.1" {
}This specifies description for keyword "audit". We allow receiving logfiles with keyword "audit" from host which have IP 192.168.0.1. And we will log it to "/var/log/remote/host1/audit" directory.
Implementation
Daemon listens on regular TCP socket, receives keyword and checks if remote host have access for submitting log files. If so, we send OK message back and receive log file which we will put in specified directory.
Authentication
Application to client daemon
We rely on remote credentials checking as we use UNIX Domain Sockets for IPC.
Client daemon to application
Only user with appropriate permissions can create socket at specified place (consider /var/dlogd/socket/dlogd.socket)
Server daemon to server daemon
We will rely on SSL here.
Project status
Configuration file parsing complete
User-space library complete
Checking remote credentials complete
Spooling in progress
Network protocol in progress
SSL in progress
References
- Message I've sent to freebsd-hackers@ with initial design proposal.
- Distributed logging daemon Perforce repository.