Auditd at scale

Published on 2015-08-09 00:00:00

Original

2015-08-09

Contents

Linux Audit is composed of a kernel-side component and a user-space component. It is primarily used to audit system calls. Some other kernels subsystems such as SELinux’s AVC also use Linux Audit. This document focuses on the use of Audit with system calls only.

In particular - for both forensics and live alerting purposes, it makes sense to audit system calls:

  • it’s a single point of entry for communication user-space (programs, etc. running on your OS), even if you communicate by other means afterwards, it

always start with a system call. - it cannot (too) easily be bypassed

.

blog comments powered by Disqus