Talk With an Expert

All-Seeing Eye or Blind Man? Understanding the Linux Kernel Auditing System

All-Seeing Eye or Blind Man? Understanding the Linux Kernel Auditing System (PDF, 3.25MB)Published: 21 Sep, 2018
Created by:
David Kennel

The Linux kernel auditing system provides powerful capabilities for monitoring system activity. While the auditing system is well documented, the manual pages, user guides, and much of the published writings on the audit system fail to provide guidance on the types of attacker-related activities that are, and are not, likely to be logged by the auditing system. This paper uses simulated attacks and analyzes logged artifacts for the Linux kernel auditing system in its default state and when configured using the Controlled Access Protection Profile (CAPP) and the Defense Information Systems Agency's (DISA) Security Implementation Guide (STIG) auditing rules. This analysis provides a clearer understanding of the capabilities and limitations of the Linux audit system in detecting various types of attacker activity and helps to guide defenders on how to best utilize the Linux auditing system.

All-Seeing Eye or Blind Man? Understanding the Linux Kernel Auditing System