[9238] in bugtraq
[HERT] ANNOUNCE: linux auditd daemon 1.10
daemon@ATHENA.MIT.EDU (Anthony C . Zboralski)
Tue Jan 26 16:09:13 1999
Date: Tue, 26 Jan 1999 15:43:50 +0100
Reply-To: "Anthony C . Zboralski" <acz@HERT.ORG>
From: "Anthony C . Zboralski" <acz@HERT.ORG>
To: BUGTRAQ@NETSPACE.ORG
--zhXaljGHf11kAtnf
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Greetings,
We have just released auditd version 1.10 for linux.
Auditd is part of the linux kernel auditing toolkit. It
will capture auditing trails created by the kernel audit=AD
ing facility from /proc/audit, filter them, and save them
in specific log files. For the moment, auditd only sup=AD
ports the -t option, which enables audit trails timestamp=AD
ing. Other command line options will probably be imple=AD
mented in the next releases to add more flexibility to the
package.
=20
Comments, suggestions, and critics are welcome.
http://www.hert.org/projects/linux/auditd/auditd.tar.gz
ftp://ftp.hert.org/pub/linux/auditd/auditd.tar.gz
PGP signatures:
http://www.hert.org/projects/linux/auditd/auditd.tar.gz.asc
ftp://ftp.hert.org/pub/linux/auditd/auditd.tar.gz.asc
PGP key:
http://www.hert.org/HERT_PGP.key
ftp://ftp.hert.org/pub/HERT_PGP.key
MD5sum:
ae160eb8d50ff3e87a11d27434af48d0 auditd-1.10.tar.gz
here is the README file:
LINUX AUDIT Daemon:=20
MANDATORY AUDITING FOR LINUX=20
by Marcus Wolf <klog@hert.org>, Promisc Security
Copyright (C) 1999 Hacker Emergency Response Team
http://www.hert.org/linux/auditd
Audit Daemon is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
Audit Daemon is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with GNU CC; see the file COPYING. If not, write to
the Free Software Foundation, 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA. =20
INSTALLATION
# vi Makefile
# vi audit.h
# make
# make install
# ./kpatch
# cd /usr/src/linux
# make zlilo
# echo "/usr/sbin/auditd" >> /etc/init/rc.daemons
# reboot
INFORMATION
o /proc/audit
This is where the kernel audit facility sends its raw
trails information. It is in ascii format, but you may have
problems converting network byte order addresses to n&d ips
manually. :)=20
o /sbin/auditd [-t]
The audit daemon captures audit trails from /proc/audit,
filters them following its filtering rules, formats them, and
outputs them to a log file. The "-t" option will force auditd
to apply timestamps to the audit trails.
o /etc/security/audit.conf
The audit configuration file keeps the auditd filtering
rules. It enable the administrator to filter trails by flag,=20
uid, and pid.=20
- Multiple flags can be specified on a single line;
- Only one pid can be specified by line;
- Only one uid can be specified by line;
- Both flags, uids and pids can be replaced by a
'*' mask;
NOTES/BUGS/TODO
- The next release will probably include audit trails
routing to other hosts (similar to syslogd), and
piping to commands;
- If you find any bug, please contact me at:
Markus Wolf <klog@hert.org>
--zhXaljGHf11kAtnf
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
iQCVAwUBNq3UpbiV3oeHg1NdAQFiSQQAyCAlrd64uwVq3y6fTgvVAwOe8tr2omRi
HkAZFEq12b7e7BxlFuXpygHfh5Lqw9HLvg1E9usvurjohucKf4oSTJWjvpUwky3P
+Cc+9e7/FnQlfkpqMZxu0jkppzGk+Bgai8OU6CVw4XveZGNI8j7y8xWdBJxs4zwi
Hq6+0Nj6rJY=
=1sEm
-----END PGP SIGNATURE-----
--zhXaljGHf11kAtnf--
