huang zuxing blog @ home the quieter you become, the more you are able to hear.



Last week, during meeting with IT auditor, she asked "did you 'record' the change of system in details when 'system admin' login into machine and did some modification? " hm... In linux we use auditd.

What is linux auditd ?

From the README file :

"Auditd is the name used for this package whose goal is to provide the linux kernel with a mandatory logging facility. By "mandatory", we mean that *every* process will be affected by the auditing, since it takes place in the kernel. Multiple system calls are logged by auditd in order to detect security abuses from userland processes without needing their cooperation. A great point in this practice is that even backdoors will be monitored by auditd. A bad point in such a system, however, is that details about the occuring actions are very poor. That's why auditd should be used for security, while syslogd should be used for debugging."

Tagged as: Comments Off
Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.