Distributed Audit Daemon

Abstract

The basic idea behind this project is to implement secure and reliable log file shipping to remote hosts. While the implementation focuses on audit logs, the goal is to build tools that will make it possible to perform distributed logging for any application by using a simple API and linking with a shared library.

Implementation

Basics

We have very simple API with only one function call:

dlogd_submit (const char * pathname, const char * keyword)

pathname specifies which file we're going to submit

keyword is the magic word which identifies what type of log file is it (for example, it could be "audit" or "ASsd23")

There're two type of communication: local when we pass pathname and keyword to daemon, and remote when we deliver logfile to remote host. I will refer to daemon as client when local communication takes place (receiving keyword and pathname from another proccess), and i will refer to daemon as server when remote communication takes place (receive logfile from remote host).

Client implementation

Configuration

Example configuration for client:

keyword "audit" {
  group "wheel";
  uid   "1001";
  host  "192.168.0.1";
}

host "192.168.0.1" {

}

This specifies description for keyword "audit". We allow submitting logs with keyword "audit" to user which uid is 1001 or his group is "wheel". Also we order to deliver logs with this keyword to host which have IP 192.168.0.1.

Implementation

We use UNIX Domain Sockets for IPC here. When we receive keyword and pathname from socket, we check remote credentials to see if user has access for submitting logs with specified keyword. If authentication went OK we will link original file to spool.

Spool implementation

General spool structure is /var/spool/dlogd/<keyword>/<timestamp>.<filename>. So if we will get /var/log/dmesg.today pathname with boot keyword it will be linked to /var/spool/dlogd/boot/ 1184827423.dmesg.today (if it was submitted at 1184827423 which is Thu Jul 19 06:43:43 UTC 2007).

We have two threads. One listens on socket and adds files to spool, second goes through spool and sends pending files out.

Server implementation

Configuration

Example configuration for server:

keyword "audit" {
  host  "192.168.0.1" dir "/var/log/remote/host1/audit";
}

host "192.168.0.1" {

}

This specifies description for keyword "audit". We allow receiving logfiles with keyword "audit" from host which have IP 192.168.0.1. And we will log it to "/var/log/remote/host1/audit" directory.

Implementation

Daemon listens on regular TCP socket, receives keyword and checks if remote host have access for submitting log files. If so, we send OK message back and receive log file which we will put in specified directory.

Authentication

Application to client daemon

We rely on remote credentials checking as we use UNIX Domain Sockets for IPC.

Client daemon to application

Only user with appropriate permissions can create socket at specified place (consider /var/dlogd/socket/dlogd.socket)

Server daemon to server daemon

We will rely on SSL here.

Project status

References

DistributedAuditDaemon (last edited 2008-06-17 21:38:02 by localhost)