Linux Audit

   

Download:

The latest is 2.4.1, released Oct 28, 2014.
ChangeLog

Need kernel headers >= 2.6.30

audit-2.4.1.tar.gz

audit-2.4.tar.gz

RHEL-5

audit-1.8-1.src.rpm need glibc-kernheaders>=3.0

audit-1.8.tar.gz need new headers

audit-1.7.18-1.src.rpm need glibc-kernheaders>=3.0

audit-1.7.18.tar.gz need new headers

RHEL-4

audit-1.0.16-1.src.rpm need glibc-kernheaders>=2.4-9.1.95

audit-1.0.16.tar.gz need new headers

You can compile the source rpm like this:
rpmbuild --rebuild audit-1.0.16-1.src.rpm

 

Future Direction

2.4 -> 2.5 Audit by process name, auparse updates
2.5 -> 2.6 Improve tools to better handle aggregated logs, Reactive component for IPS

Technical Resources

SVN
svn co http://svn.fedorahosted.org/svn/audit
or browse audit code

Mail List
There is a mail list to discuss the linux audit system. Please join if you have any questions or like this topic.

IRC
We have #audit on freenode

Specs
Draft copy of howto write good events
The specs around User account lifecycle events
Draft copy of User Login Lifecycle events
A diagram showing Audit System State
The specs to the Audit Event Parsing Library
The specs to the Auditd Real-time Event Interface

Articles:
Audit + Prelude HOWTO
Article about audit log visualization

Presentations:
Updated version of the 2007 Red Hat Summit slides about audit system and layering an IDS/IPS on it
Presentation given at Red Hat Summit 2008 about audit system and the prelude plugin
Presentation given at Red Hat Summit 2007 about audit system and layering an IDS/IPS on it
Slides from audit BoFs at SE Linux Symposium 2007
Slides from audit BoFs at SE Linux Symposium 2006

FAQ
Audit System FAQ

Test Suites
ausearch-test-0.5
audit-validation-0.1