A Look At Linux AuditBy Timothy R. ChavezƒƒƒƒƒƒƒOverviewWhat is Linux audit?Components of Linux audit– Audit subsystem– Audit daemons (auditd, audisp)– Administrative ToolsSome backgroundUses for Linux audit– Security– Non-securityCurrent developmentFuture developmentQuestionsƒƒWhat is Linux audit?A system to: – Collect information regarding events occurring on the running system• Kernel events (system-calls)• User events (audit-enabled programs)– Form and log a record describing each event using information collected from that event• Syscall args, subject attributes, object attributes, time, and so on– Analyze the log of recordsComponents of Linux audit– Audit subsystem– Audit daemon– ToolsThe “Big” PictureƒLinux Audit In DepthAudit Subsystem– Configurable• Enable or disable audit in real-time• Dynamically size backlog• Set failure modes• Set rate-limit– Generic Audit framework• SELinux– Robust system-call auditing• Collect information regarding system-calls (for example, system-call args, object attributes, paths, time of execution, and so on)• Granular filtering mechanism– Add or Remove or List system-call filter rulesAudit SubsystemƒLinux Audit In DepthThe Audit Daemon– Responsibility• Log audit records coming from the kernel to the correct audit log or pass it to an audit dispatcher daemon• Communication interface with audit subsystem– Configurable• Set disk space thresholds with corresponding actions• ...
A system to: Collect information regarding events occurring on the running system •Kernel events (system-calls) •User events (audit-enabled programs) Form and log a record describing each event using information collected from that event •Syscall args, subject attributes, object attributes, time, and so on Analyze the log of records Components of Linux aud
Components of Linux audit Audit subsystem Audit daemon Tools
The “Big Picture
Linux Audit In Depth
Audit Subsystem
Configurable
•Enable or disable audit in real-time
•Dynamically size backlog
•Set failure modes
•Set rate-limit
Generic Audit framework
•SELinux
Robust system-call auditing
•Collect information regarding system-calls (for example, system-call args, object attributes, paths, time of execution, and so on)
•Granular filtering mechanism Add or Remove or List system-call filter rules
Audit Subsystem
Linux Audit In Depth
The Audit Daemon Responsibility •Log audit records coming from the kernel to the correct audit log or pass it to an audit dispatcher daemon •Communication interface with audit subsystem Configurable •Set disk space thresholds with corresponding actions •Define where audit logs are written, how many logs there can be, how big they can grow, and if they should be rotated •Point the audit daemon to an audit dispatcher daemon •How and when to write audit records to disk Application interface •libaudit
Linux Audit In Depth
Audit Dispatcher Daemon
Receives audit records from Audit Daemon
Plug-in framework
•Specify multiple input plug-ins, a filter plug-in, and an output plug-in
Ground work for features like network and database logging