Linux Audit

   

Download:

The latest is 1.7.3-1, released May 09, 2008. ChangeLog

audit-1.7.3-1.src.rpm need glibc-kernheaders>=3.0-14

audit-1.7.3.tar.gz need new headers

audit-1.7.2-1.src.rpm need glibc-kernheaders>=3.0

audit-1.7.2.tar.gz need new headers

RHEL-4

audit-1.0.16-1.src.rpm need glibc-kernheaders>=2.4-9.1.95

audit-1.0.16.tar.gz need new headers

You can compile the source rpm like this:
rpmbuild --rebuild audit-1.0.16-1.src.rpm

 

Future Direction

1.7 -> 1.8 Remote logging and finishing up IDS/IPS plugin
1.8 -> 1.9 GUI based search and report tool

Technical Resources

Specs
The specs to the Audit Event Parsing Library
The specs to the Auditd Real-time Event Interface

FAQ
Audit System FAQ

Articles:
Audit + Prelude HOWTO
Article about audit log visualization

Presentations:
Presentation given at Red Hat Summit 2007 about audit system and layering an IDS/IPS on it
Slides from audit BoFs at SE Linux Symposium 2007
Slides from audit BoFs at SE Linux Symposium 2006

Mail List
There is a mail list to discuss the linux audit system. Please join if you have any questions or like this topic.

LSPP Kernel
There is a yum repository that contains the current LSPP kernel and user space updates.