Linux Audit

   

Download:

The latest is 2.0.4, released Dec 07, 2009. ChangeLog

Need kernel headers >= 2.6.30

audit-2.0.4.tar.gz

audit-2.0.4-1.src.rpm

audit-2.0.3.tar.gz

audit-2.0.3-1.src.rpm

RHEL-5

audit-1.7.17-1.src.rpm need glibc-kernheaders>=3.0

audit-1.7.17.tar.gz need new headers

audit-1.7.16-1.src.rpm need glibc-kernheaders>=3.0-14

audit-1.7.16.tar.gz need new headers

RHEL-4

audit-1.0.16-1.src.rpm need glibc-kernheaders>=2.4-9.1.95

audit-1.0.16.tar.gz need new headers

You can compile the source rpm like this:
rpmbuild --rebuild audit-1.0.16-1.src.rpm

 

Future Direction

2.0 -> 2.1 Remote logging, auparse updates
2.1 -> 2.2 More IDS/IPS work

Technical Resources

SVN
svn co http://svn.fedorahosted.org/svn/audit
or browse audit code

Specs
The specs to the Audit Event Parsing Library
The specs to the Auditd Real-time Event Interface

FAQ
Audit System FAQ

Articles:
Audit + Prelude HOWTO
Article about audit log visualization

Mail List
There is a mail list to discuss the linux audit system. Please join if you have any questions or like this topic.

Presentations:
Presentation given at Red Hat Summit 2008 about audit system and the prelude plugin
Presentation given at Red Hat Summit 2007 about audit system and layering an IDS/IPS on it
Slides from audit BoFs at SE Linux Symposium 2007
Slides from audit BoFs at SE Linux Symposium 2006