What is linux auditd ? ---------------------- From the README file : "Auditd is the name used for this package whose goal is to provide the linux kernel with a mandatory logging facility. By "mandatory", we mean that *every* process will be affected by the auditing, since it takes place in the kernel. Multiple system calls are logged by auditd in order to detect security abuses from userland processes without needing their cooperation. A great point in this practice is that even backdoors will be monitored by auditd. A bad point in such a system, however, is that details about the occuring actions are very poor. That's why auditd should be used for security, while syslogd should be used for debugging." On what operating systems does auditd run ? ------------------------------------------- This auditd package was build especially for the linux operating system. The kernel auditing facility part can be integrated to the kernel using the modkaf kernel module, which requires dynamic /proc node registration, or by applying kernel patches, which although provided with the auditd package, are not supported anymore. To verify if your kernel supports dynamic /proc node registration, use : grep proc_register /proc/ksyms Can I use auditd for production purposes ? ------------------------------------------ Of course, auditd can't hurt your security policies. However, there is much work to be done. Nor the HERT nor I will take any responsability for the security hazard caused by relying excessively on auditd when building your security policies. At this present moment, auditd is more of a proof of concept than a production environment security tool. It is still possible for a cracker to avoid auditd's eyes, by using udp instead of tcp, as an example. Many system calls remain to be audited by the kernel auditing facility. However, going further into such projects will require us to implement basic inkernel audit trail filtering, which means adding management system calls, etc. See the TODO list for more info. What's new since the previous version ? --------------------------------------- The latest version (1.20) includes a kernel module (modkaf) which replaces the previously used patches, which obviously sucked. There also is a library (libaudit) which enables you to write applications which emit debugging trails under certain trust-related conditions. This very library can also be used as a ld.preload object to hook syslog calls (please note that this does not work with perl syslog calls since perl seems to go directly to the syslog socket instead of the C syslog API). Is there anything I can do to help auditd's development ? --------------------------------------------------------- Of course. From the README file : * Auditd -> MySQL interface; * Audit trail transfer protocol (using assym crypto); * Profiler tool for easy auditd configuration; * Win32 trail analysis tool; * More syscall audit hooks; * inKernel basic trail filtering. Any code implementing [parts of] these features would greatly be appreciated. Where can I reach you ? ----------------------- Try klog [at] hert.org. The auditd homepage is located at: http://www.hert.org/ NOTE: auditd appears to have been abandoned by HERT, as the auditd information is no longer available at www.hert.org as at 01 Jan 2003.