Welcome to auditd-1.20.


----[ DESCRIPTION

Auditd is the name used for this package whose goal is to provide the
linux kernel with a mandatory logging facility. By "mandatory", we mean
that *every* process will be affected by the auditing, since it takes
place in the kernel. Multiple system calls are logged by auditd in order
to detect security abuses from userland processes without needing their
cooperation. A great point in this practice is that even backdoors will
be monitored by auditd. A bad point in such is system, however, is that
details about the occuring actions are very poor. That's why auditd should
be used for security, while syslogd should be used for debugging.

This new release also includes debugging trail support which enables
both the kernel and userland processes to issue debugging information
which will be logged by auditd. Since such trails are recieved from both
the kernel and userland processes, we have to establish some access 
control to decide which process can or cannot issue trails. Also, it
is important to understand that at this right moment, auditd does *NOT*
authentify trusted processes. Thus, any process being member of the
audit group will be able to spoof the identity of other processes. 
However, processes which are trusted enough to diffuse audit trails
will probably be executed with the root userid or under a controled
environment (ex: daemons running with sandbag userid).


----[ INSTALLATION

In order to install auditd, you will first need to install the kernel
auditing facility (kaf), whether by patching your kernel (see the 
'kpatch' directory), or by installing modkaf, which is a loadable kernel
module for linux 2.2.X (or any kernel which supports dynamic proc node
registration). 

Once this is done, you will have to build and install auditd. Auditd
was built in order to be as flexible as possible (some features still
remain to be added though). 

All of these steps can be automaticaly performed by running 'make build',
followed by 'make install'. However, you will want to edit the 'Config' 
file first in order to setup the compiling environment...


----[ CONFIGURATION

You will find an example configuration file in etc/, which is not intended
to be used as-is. Informations on how to edit this file are found in the
auditd manual page, but the process should not be too painfull:

	<type>	<proc_name>	<pid>	<uid>	[file]	<log>

The first five fields are used as filtering criterias which must match 
the audit trail in order to be applied to it. The fifth (file) field is
optional, and will be taken in consideration only for open, exec and
modinit system calls. The last field is the file to which the formated 
audit trail will be appended.


----[ TO DO

	Crypto cookies for debugging trail authentication;
	Auditd -> MySQL interface;
	Audit trail transfer protocol (using assym crypto);
	Profiler tool for easy auditd configuration;
	Win32 trail analysis tool;
	More syscall audit hooks;
	inKernel basic trail filtering.


----[ SUPPORT

Support, bug reports, add-ons, etc. can be mailed to:
Markus Wolf <klog@hert.org>


 
