detached ra collection?

Joe Christy joe at eshu.net
Tue Nov 12 18:11:34 EST 2002 

Peter Van Epp wrote:

>	The safe way to do this is to put 2 interfaces in the Argus box,...
>
    Thanks for your reply. I already in fact use an architecture such as 
you suggest.

    My real question is: Is there already a way to run ra, from an init 
script, detached from its parent process, yet still able to receive signals.

    Obviously, " ra -S fw -w secure-archive &" will run ra in the 
background, and will gracefully terminate in response to a SIGTERM, but 
will not survive the exit of its parent process, making it unsuitable in 
an init script; "nohup ... &" immunizes ra from the SIGHUP when the 
parent process exits, but also immunizes it to a SIGTERM, so it can only 
be killed, leaving its buffers unflushed.

    On a single machine srchitecture, argus will happily record its 
audit data autonomously, but an a split architecture such as we agree 
should be used ina secure environment, this doesn't appear to be 
possible without a wrapper around ra, which seems to be designed to be 
run interactively *only*.

>
>  
>
>>I run ra outside my firewall and, for security reasons, would like to 
>>automoagically archive the the collected data on a machine inside. It 
>>seems like "ra -S firewall -w secure-archive" would be just the thing, 
>>if I could run ra, *detached* from its parent process, launched from an 
>>init script (which would also send it a sigterm to flush its buffers at 
>>system shutdown).
>>
>>Poring over the documentation and a little experimentation hasn't 
>>yielded a simple minded way to do this.
>>
>>Surely someone else has faced this problem, so before I hack a perl 
>>wrapper to fork() and setsid() an ra, I thought I'd ask if this 
>>particular whell has already been invented.
>>
>>-- 
>>======== Joe Christy ============================== joe at eshu.net =======
>>---- Voice:831/423-7151 --- Mobile:650/483-9123 --- FAX:831/469-0804 ---
>>__ If I can save you any time, give it to me, I'll keep it with mine. __
>> www.eshu.net/CA.html  BF:38:C1:17:5F:F4:00:19:53:01:7B:4C:88:72:93:85 
>>
>>
>>
>>    
>>


-- 
======== Joe Christy ============================== joe at eshu.net =======
---- Voice:831/423-7151 --- Mobile:650/483-9123 --- FAX:831/469-0804 ---
__ If I can save you any time, give it to me, I'll keep it with mine. __
 www.eshu.net/CA.html  BF:38:C1:17:5F:F4:00:19:53:01:7B:4C:88:72:93:85

More information about the argus mailing list