CW+ Premium Content/E-Handbooks

Thank you for joining!
Access your Pro+ Content below.
September 2016

Analysis of the Linux Audit System

Sponsored by ComputerWeekly.com

This article in our Royal Holloway Security Series identifies serious flaws due to architectural limitations of the Linux kernel which cast doubts on its ability to provide forensically sound audit records and discusses possible mitigation techniques

Table Of Contents

  • Audit mechanisms on an operating system (OS) record relevant system events to provide information for analysing the trustworthiness of the system. This is especially important for detecting or investigating potential compromises of a system.
  • In Linux-based operating systems, the standard framework for auditing is the Linux Audit Subsystem. It generates, processes and records relevant audit events either from within the kernel or from user-space programs.
  • In this article, we identify serious flaws due to architectural limitations of the Linux kernel, which cast doubts on its ability to provide forensically sound audit records. We also examine these limitations and discuss possible mitigation methods.