audit daemon

audit daemon (auditd) is an open source, free and non-interactive daemon, a command-line program that provides the necessary user-space tools for creating audit rules on Linux kernel-based operating systems.

Works as a limited standalone auditing framework

The software can also be used for searching and storing the audit records that were generated by the audit subsystem in Linux kernel 2.6 or later. It works as a limited standalone auditing framework on your GNU/Linux distribution.

The Linux Auditing Framework

Also known as the Linux Auditing Framework, the audit daemon project was initially created to provide system call auditing without stepping on the existing functionality provided by projects like SELinux.

How the program works

The program can open and close audit log files that are find in the folders specified in the audit_control file. It will take all the files in the order they are specified in that file and reads only audit data from the kernel. Then, it writes that data to an audit log file.

Additionally, it executes a script called audit_warn when the respective audit folders fill past the specified limits written in the audit_control file. audit daemon will then send warnings to the console and to the audit_warn mail alias.

Installing the audit daemon

To install the audit daemon on your GNU/Linux operating system using the source package, you will have to first download it from its official website (see the homepage link at the end of the article), save the archive on your Home directory, and unpack it using an archive manager tool.

In a terminal emulator, navigate to the location of the extracted archive files using the ‘cd’ command (e.g. cd /home/softoware/audit-2.4.1), run the ‘./configure && make’ command to configure and compile the program, then run the ‘sudo make install’ command to install it system wide.

What is new in this release:

• Add python3 support for libaudit
• Cleanup automake warnings
• Add AuParser_search_add_timestamp_item_ex to python bindings
• Add AuParser_get_type_name to python bindings
• Correct processing of obj_gid in auditctl (Aleksander Zdyb)
• Make plugin config file parsing more robust for long lines (#1235457)
• Make auditctl status print lost field as unsigned number
• Add interpretation mode for auditctl -s
• Add python3 support to auparse library
• Make --enable-zos-remote a build time configuration option (Clayton Shotwell)
• Updates for cross compiling (Clayton Shotwell)
• Add MAC_CHECK audit event type
• Add libauparse pkgconfig file (Aleksander Zdyb)

What is new in version 2.4.1:

• Make python3 support easier
• Add support for ppc64le (Tony Jones)
• Add some translations for a1 of ioctl system calls
• Add command & virtualization reports to aureport
• Update aureport config report for new events
• Add account modification summary report to aureport
• Add GRP_MGMT and GRP_CHAUTHTOK event types
• Correct aureport account change reports
• Add integrity event report to aureport
• Add config change summary report to aureport
• Adjust some syslogging level settings in audispd
• Improve parsing performance in everything
• When ausearch outputs a line, use the previously parsed values (Burn Alting)
• Improve searching and interpreting groups in events
• Fully interpret the proctitle field in auparse
• Correct libaudit and auditctl support for kernel features
• Add support for backlog_time_wait setting via auditctl
• Update syscall tables for the 3.18 kernel
• Ignore DNS failure for email validation in auditd (#1138674)
• Allow rotate as action for space_left and disk_full in auditd.conf
• Correct login summary report of aureport
• Auditctl syscalls can be comma separated list now
• Update rules for new subsystems and capabilities

What is new in version 2.3.2:

• Put RefuseManualStop in the right systemd section (#969345)
• Add legacy restart scripts for systemd support
• Add more syscall argument interpretations
• Add 'unset' keyword for uid & gid values in auditctl
• In ausearch, parse obj in IPC records
• In ausearch, parse subj in DAEMON_ROTATE records
• Fix interpretation of MQ_OPEN and MQ_NOTIFY events
• In auditd, restart dispatcher on SIGHUP if it had previously exited
• In audispd, exit when no active plugins are detected on reconfigure
• In audispd, clear signal mask set by libev so that SIGHUP works again
• In audispd, track binary plugins and restart if binary was updated
• In audispd, make sure we send signals to the correct process
• In auditd, clear signal mask when spawning any child process
• In audispd, make builtin plugins respond to SIGHUP
• In auparse, interpret mode flags of open syscall if O_CREAT is passed
• In audisp-remote, don't make address lookup always a permanent failure
• In audisp-remote, remove EOE events more efficiently
• In auditd, log the reason when email account is not valid
• In audisp-remote, change default remote_ending action to reconnect
• Add support for Aarch64 processors

What is new in version 2.2.1:

• Add more interpretations in auparse for syscall parameters
• Add some interpretations to ausearch for syscall parameters
• In ausearch/report and auparse, allocate extra space for node names
• Update syscall tables for the 3.3.0 kernel
• Update libev to 4.0.4
• Reduce the size of some applications
• In auditctl, check usage against euid rather than uid

What is new in version 2.1.1:

• When ausearch is interpretting, output "as is" if no = is found
• Correct socket setup in remote logging
• Adjusted a couple default settings for remote logging and init script
• Audispd was not marking restarted plugins as active
• Audisp-remote should keep a capability if local_port < 1024
• When audispd restarts plugin, send event in its preferred format
• In audisp-remote, make all I/O asynchronous
• In audisp-remote, add sigusr1 handler to dump internal state
• Fix autrace to use correct syscalls on s390 and s390x systems
• Add shutdown syscall to remote logging teardowns
• Correct autrace rule for 32 bits systems

What is new in version 2.1:

• Update auditctl man page for new field on user filter
• Fix crash in aulast when auid is foreign to the system
• Code cleanups
• Add store and forward model to audispd-remote (Mirek Trmac)
• Free memory on failed startups in audisp-prelude
• Fix memory leak in aureport
• Fix parsing state problem in libauparse
• Improve the robustness of libaudit field encoding functions
• Update capability tables
• In auditd, make failure action config checking consistent
• In auditd, check that NULL is not being passed to safe_exec
• In audisp-remote, overflow_action wasn't suspending if that action was chosen
• Update interpretations for virt events
• Improve remote logging warning and error messages
• Add interpretations for netfilter events

What is new in version 2.0.6:

• ausearch/report performance improvements
• Synchronize all sample syscall rules to use action,list
• If program name provided to audit_log_acct_message, escape it
• Fix man page for the audit_encode_nv_string function (#647131)
• If value is NULL, don't segfault (#647128)
• Fix simple event parsing to not assume session id can't be last (Peng Haitao)
• Add support for new mmap audit event type
• Add ability for audispd syslog plugin to choose facility local0-7 (#593340)
• Fix autrace to use correct syscalls on i386 systems (Peng Haitao)
• On startup and reconfig, check for excess logs and unlink them
• Add a couple missing parser debug messages
• Fix error output resolving numeric address and update man page
• Add netfilter event types
• Fix spelling error in audit.rules man page (#667845)
• Improve warning in auditctl regarding immutable mode (#654883)
• Update syscall tables for the 2.6.37 kernel
• In ausearch, allow searching for auid -1
• Add queue overflow_action to audisp-remote to control queue overflows
• Update sample rules for new syscalls and packages

What is new in version 2.0.5:

• A couple of fixes were made for 32-bit systems when using an inode field in rules.
• Syscall table updates were made for recent kernels.
• New events were added for service start/stop and virtualization.
• The handling of the ignore directive in auditctl was fixed.

What is new in version 2.0.3:

• Many remote logging fixups were done, including a potential security problem if gssapi was enabled.

What is new in version 2.0.1:

• getloginuid was fixed for Python bindings.
• The audispd af_unix plugin was disabled by default.
• A bug in remote logging was fixed.
• The init script was updated.
• The man page was updated.