[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[HERT] ANNOUNCE: linux auditd daemon 1.10



Greetings,

We have just released auditd version 1.10 for linux.

    Auditd  is  part  of the linux kernel auditing toolkit. It
    will capture auditing trails created by the kernel  audit­
    ing  facility from /proc/audit, filter them, and save them
    in specific log files.  For the moment, auditd  only  sup­
    ports the -t option, which enables audit trails timestamp­
    ing. Other command line options will  probably  be  imple­
    mented in the next releases to add more flexibility to the
    package.
                                                        
Comments, suggestions, and critics are welcome.

http://www.hert.org/projects/linux/auditd/auditd.tar.gz
ftp://ftp.hert.org/pub/linux/auditd/auditd.tar.gz

PGP signatures:
http://www.hert.org/projects/linux/auditd/auditd.tar.gz.asc
ftp://ftp.hert.org/pub/linux/auditd/auditd.tar.gz.asc

PGP key:
http://www.hert.org/HERT_PGP.key
ftp://ftp.hert.org/pub/HERT_PGP.key

MD5sum:
ae160eb8d50ff3e87a11d27434af48d0  auditd-1.10.tar.gz

here is the README file:

LINUX AUDIT Daemon: 
MANDATORY AUDITING FOR LINUX 

by Marcus Wolf <klog@hert.org>, Promisc Security
Copyright (C) 1999 Hacker Emergency Response Team
http://www.hert.org/linux/auditd

Audit Daemon is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.

Audit Daemon is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with GNU CC; see the file COPYING.  If not, write to
the Free Software Foundation, 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA.  


INSTALLATION

	# vi Makefile
	# vi audit.h
        # make
        # make install
	# ./kpatch
        # cd /usr/src/linux
        # make zlilo
        # echo "/usr/sbin/auditd" >> /etc/init/rc.daemons
        # reboot


INFORMATION

	o /proc/audit

		This is where the kernel audit facility sends its raw
	  trails information. It is in ascii format, but you may have
	  problems converting network byte order addresses to n&d ips
	  manually. :) 

	o /sbin/auditd [-t]

		The audit daemon captures audit trails from /proc/audit,
	  filters them following its filtering rules, formats them, and
	  outputs them to a log file. The "-t" option will force auditd
	  to apply timestamps to the audit trails.

	o /etc/security/audit.conf

		The audit configuration file keeps the auditd filtering
	  rules. It enable the administrator to filter trails by flag, 
	  uid, and pid. 

		- Multiple flags can be specified on a single line;
		- Only one pid can be specified by line;
		- Only one uid can be specified by line;
		- Both flags, uids and pids can be replaced by a
		  '*' mask;


NOTES/BUGS/TODO

	- The next release will probably include audit trails
	  routing to other hosts (similar to syslogd), and
	  piping to commands;
	- If you find any bug, please contact me at:

		Markus Wolf <klog@hert.org>

Attachment: pgpXZ9kkDhA3e.pgp
Description: PGP signature


Reply to: