Linux Audit

   

Download:

The latest is 2.3, released Apr 30, 2013.
ChangeLog

Need kernel headers >= 2.6.30

audit-2.3.tar.gz

audit-2.2.3.tar.gz

audit-2.2.2.tar.gz

RHEL-5

audit-1.8-1.src.rpm need glibc-kernheaders>=3.0

audit-1.8.tar.gz need new headers

audit-1.7.18-1.src.rpm need glibc-kernheaders>=3.0

audit-1.7.18.tar.gz need new headers

RHEL-4

audit-1.0.16-1.src.rpm need glibc-kernheaders>=2.4-9.1.95

audit-1.0.16.tar.gz need new headers

You can compile the source rpm like this:
rpmbuild --rebuild audit-1.0.16-1.src.rpm

 

Future Direction

2.3 -> 2.4 Audit by process name, auparse updates
2.4 -> 2.5 Improve tools to better handle aggregated logs, Reactive component for IPS

Technical Resources

SVN
svn co http://svn.fedorahosted.org/svn/audit
or browse audit code

Specs
The specs to the Audit Event Parsing Library
The specs to the Auditd Real-time Event Interface

FAQ
Audit System FAQ

Articles:
Audit + Prelude HOWTO
Article about audit log visualization

Mail List
There is a mail list to discuss the linux audit system. Please join if you have any questions or like this topic.

IRC
We have #audit on freenode

Presentations:
Updated version of the 2007 Red Hat Summit slides about audit system and layering an IDS/IPS on it
Presentation given at Red Hat Summit 2008 about audit system and the prelude plugin
Presentation given at Red Hat Summit 2007 about audit system and layering an IDS/IPS on it
Slides from audit BoFs at SE Linux Symposium 2007
Slides from audit BoFs at SE Linux Symposium 2006