Auditd at scale

Published on 2015-08-09 00:00:00




Linux Audit is composed of a kernel-side component and a user-space component. It is primarily used to audit system calls. Some other kernels subsystems such as SELinux’s AVC also use Linux Audit. This document focuses on the use of Audit with system calls only.

In particular - for both forensics and live alerting purposes, it makes sense to audit system calls:

  • it’s a single point of entry for communication user-space (programs, etc. running on your OS), even if you communicate by other means afterwards, it always start with a system call.

  • it cannot (too) easily be bypassed


blog comments powered by Disqus