Linux Audit

   

Download:

The latest is 2.6.1, released June 28, 2016.
ChangeLog

Need kernel headers >= 2.6.30

audit-2.6.1.tar.gz

audit-2.6.tar.gz


RHEL-5

audit-1.8-1.src.rpm need glibc-kernheaders>=3.0

audit-1.8.tar.gz need new headers

audit-1.7.18-1.src.rpm need glibc-kernheaders>=3.0

audit-1.7.18.tar.gz need new headers


RHEL-4

audit-1.0.16-1.src.rpm need glibc-kernheaders>=2.4-9.1.95

audit-1.0.16.tar.gz need new headers

You can compile the source rpm like this:
rpmbuild --rebuild audit-1.0.16-1.src.rpm

 

Future Direction

2.6 -> 2.7 Event Field Classification system in auparse
2.7 -> 3.0 Reactive component for IPS

Technical Resources

SVN
svn co http://svn.fedorahosted.org/svn/audit
or browse audit code

Mail List
There is a mail list to discuss the linux audit system. Please join if you have any questions or like this topic.

IRC
We have #audit on freenode

Specs
The specifications have moved to github. The following will be left in place for a while and then removed.

The specs around How to write good events
Dictionary of event field names in csv format
The specs around System Lifecycle events
The specs around User Login Lifecycle events
The specs around User Account Lifecycle events
The draft specs for Audit Event Enrichment
The specs to the Audit Event Parsing Library
The specs to the Auditd Real-time Event Interface
A diagram showing Audit System State

Articles:
Audit + Prelude HOWTO
Article about audit log visualization

Presentations:
Updated version of the 2007 Red Hat Summit slides about audit system and layering an IDS/IPS on it
Presentation given at Red Hat Summit 2008 about audit system and the prelude plugin
Presentation given at Red Hat Summit 2007 about audit system and layering an IDS/IPS on it
Slides from audit BoFs at SE Linux Symposium 2007
Slides from audit BoFs at SE Linux Symposium 2006

FAQ
Audit System FAQ

Test Suites
ausearch-test-0.5
audit-validation-0.1