Greetings, We have just released auditd version 1.10 for linux.
Auditd is part of the linux kernel auditing toolkit. It
will capture auditing trails created by the kernel audit
ing facility from /proc/audit, filter them, and save them
in specific log files. For the moment, auditd only sup
ports the -t option, which enables audit trails timestamp
ing. Other command line options will probably be imple
mented in the next releases to add more flexibility to the
package.
Comments, suggestions, and critics are welcome.
http://www.hert.org/projects/linux/auditd/auditd.tar.gz
ftp://ftp.hert.org/pub/linux/auditd/auditd.tar.gz
PGP signatures:
http://www.hert.org/projects/linux/auditd/auditd.tar.gz.asc
ftp://ftp.hert.org/pub/linux/auditd/auditd.tar.gz.asc
PGP key:
http://www.hert.org/HERT_PGP.key
ftp://ftp.hert.org/pub/HERT_PGP.key
MD5sum:
ae160eb8d50ff3e87a11d27434af48d0 auditd-1.10.tar.gz
here is the README file:
LINUX AUDIT Daemon:
MANDATORY AUDITING FOR LINUX
by Marcus Wolf <[EMAIL PROTECTED]>, Promisc Security
Copyright (C) 1999 Hacker Emergency Response Team
http://www.hert.org/linux/auditd
Audit Daemon is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
Audit Daemon is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with GNU CC; see the file COPYING. If not, write to
the Free Software Foundation, 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA.
INSTALLATION
# vi Makefile
# vi audit.h
# make
# make install
# ./kpatch
# cd /usr/src/linux
# make zlilo
# echo "/usr/sbin/auditd" >> /etc/init/rc.daemons
# reboot
INFORMATION
o /proc/audit
This is where the kernel audit facility sends its raw
trails information. It is in ascii format, but you may have
problems converting network byte order addresses to n&d ips
manually. :)
o /sbin/auditd [-t]
The audit daemon captures audit trails from /proc/audit,
filters them following its filtering rules, formats them, and
outputs them to a log file. The "-t" option will force auditd
to apply timestamps to the audit trails.
o /etc/security/audit.conf
The audit configuration file keeps the auditd filtering
rules. It enable the administrator to filter trails by flag,
uid, and pid.
- Multiple flags can be specified on a single line;
- Only one pid can be specified by line;
- Only one uid can be specified by line;
- Both flags, uids and pids can be replaced by a
'*' mask;
NOTES/BUGS/TODO
- The next release will probably include audit trails
routing to other hosts (similar to syslogd), and
piping to commands;
- If you find any bug, please contact me at:
Markus Wolf <[EMAIL PROTECTED]>
pgpJV7uJ5lzoF.pgp
Description: PGP signature
