Greetings, We have just released auditd version 1.10 for linux. Auditd is part of the linux kernel auditing toolkit. It will capture auditing trails created by the kernel audit=AD ing facility from /proc/audit, filter them, and save them in specific log files. For the moment, auditd only sup=AD ports the -t option, which enables audit trails timestamp=AD ing. Other command line options will probably be imple=AD mented in the next releases to add more flexibility to the package. =20 Comments, suggestions, and critics are welcome. http://www.hert.org/projects/linux/auditd/auditd.tar.gz ftp://ftp.hert.org/pub/linux/auditd/auditd.tar.gz PGP signatures: http://www.hert.org/projects/linux/auditd/auditd.tar.gz.asc ftp://ftp.hert.org/pub/linux/auditd/auditd.tar.gz.asc PGP key: http://www.hert.org/HERT_PGP.key ftp://ftp.hert.org/pub/HERT_PGP.key MD5sum: ae160eb8d50ff3e87a11d27434af48d0 auditd-1.10.tar.gz here is the README file: LINUX AUDIT Daemon:=20 MANDATORY AUDITING FOR LINUX=20 by Marcus Wolf <[EMAIL PROTECTED]>, Promisc Security Copyright (C) 1999 Hacker Emergency Response Team http://www.hert.org/linux/auditd Audit Daemon is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. Audit Daemon is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with GNU CC; see the file COPYING. If not, write to the Free Software Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. =20 INSTALLATION # vi Makefile # vi audit.h # make # make install # ./kpatch # cd /usr/src/linux # make zlilo # echo "/usr/sbin/auditd" >> /etc/init/rc.daemons # reboot INFORMATION o /proc/audit This is where the kernel audit facility sends its raw trails information. It is in ascii format, but you may have problems converting network byte order addresses to n&d ips manually. :)=20 o /sbin/auditd [-t] The audit daemon captures audit trails from /proc/audit, filters them following its filtering rules, formats them, and outputs them to a log file. The "-t" option will force auditd to apply timestamps to the audit trails. o /etc/security/audit.conf The audit configuration file keeps the auditd filtering rules. It enable the administrator to filter trails by flag,=20 uid, and pid.=20 - Multiple flags can be specified on a single line; - Only one pid can be specified by line; - Only one uid can be specified by line; - Both flags, uids and pids can be replaced by a '*' mask; NOTES/BUGS/TODO - The next release will probably include audit trails routing to other hosts (similar to syslogd), and piping to commands; - If you find any bug, please contact me at: Markus Wolf <[EMAIL PROTECTED]>