detached ra collection?

Peter Van Epp vanepp at sfu.ca
Wed Nov 13 11:32:49 EST 2002 

	Since I'm not (yet) running argus that way although I need to start
when my Gig links come I'll leave this one to either Carter or the CMU folks 
(who are running this way). At present I'm running argus_bpf writing to a file 
on the machine and then copying the file away (after moving it out from under 
argus_bpf) but on a fast link the local disk I/O affects capture performance 
and you need to move to the split capture. I will be interested in what you
find though since I need to do this too :-)

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> Peter Van Epp wrote:
> 
> >	The safe way to do this is to put 2 interfaces in the Argus box,...
> >
>     Thanks for your reply. I already in fact use an architecture such as 
> you suggest.
> 
>     My real question is: Is there already a way to run ra, from an init 
> script, detached from its parent process, yet still able to receive signals.
> 
>     Obviously, " ra -S fw -w secure-archive &" will run ra in the 
> background, and will gracefully terminate in response to a SIGTERM, but 
> will not survive the exit of its parent process, making it unsuitable in 
> an init script; "nohup ... &" immunizes ra from the SIGHUP when the 
> parent process exits, but also immunizes it to a SIGTERM, so it can only 
> be killed, leaving its buffers unflushed.
> 
>     On a single machine srchitecture, argus will happily record its 
> audit data autonomously, but an a split architecture such as we agree 
> should be used ina secure environment, this doesn't appear to be 
> possible without a wrapper around ra, which seems to be designed to be 
> run interactively *only*.
> 
> >
> >  
> >
> >>I run ra outside my firewall and, for security reasons, would like to 
> >>automoagically archive the the collected data on a machine inside. It 
> >>seems like "ra -S firewall -w secure-archive" would be just the thing, 
> >>if I could run ra, *detached* from its parent process, launched from an 
> >>init script (which would also send it a sigterm to flush its buffers at 
> >>system shutdown).
> >>
> >>Poring over the documentation and a little experimentation hasn't 
> >>yielded a simple minded way to do this.
> >>
> >>Surely someone else has faced this problem, so before I hack a perl 
> >>wrapper to fork() and setsid() an ra, I thought I'd ask if this 
> >>particular whell has already been invented.
> >>
> >>-- 
> >>======== Joe Christy ============================== joe at eshu.net =======
> >>---- Voice:831/423-7151 --- Mobile:650/483-9123 --- FAX:831/469-0804 ---
> >>__ If I can save you any time, give it to me, I'll keep it with mine. __
> >> www.eshu.net/CA.html  BF:38:C1:17:5F:F4:00:19:53:01:7B:4C:88:72:93:85 
> >>
> >>
> >>
> >>    
> >>
> 
> 
> -- 
> ======== Joe Christy ============================== joe at eshu.net =======
> ---- Voice:831/423-7151 --- Mobile:650/483-9123 --- FAX:831/469-0804 ---
> __ If I can save you any time, give it to me, I'll keep it with mine. __
>  www.eshu.net/CA.html  BF:38:C1:17:5F:F4:00:19:53:01:7B:4C:88:72:93:85 
> 
> 
> 
>

More information about the argus mailing list