Monitoring Linux Systems Using Kernel Audit Subsystem

Explore the Linux Kernel Audit Subsystem in this comprehensive conference talk by Vandana Salve from Prasme Systems. Gain insights into the architecture and principles of Linux kernel auditing, understanding its usefulness and components. Learn how to set up and configure the audit system, including the audit daemon and rules. Discover various audit subsystem tools and techniques for monitoring system objects, security configuration files, and filtering system call arguments. Delve into the inner workings of the audit subsystem and understand how audit event records are generated. This in-depth presentation provides a thorough overview of monitoring Linux systems using the Kernel Audit Subsystem, equipping you with valuable knowledge for enhancing system security and compliance.

Intro
Introduction to Audit subsystem
Linux kernel auditing: Architecture and principles
Usefulness of Audit subsystem
Components of Audit subsystem
User space component of Audit subsystem
Setting up audit system
Audit subsystem Tools
Configuring the audit daemon
Setting up audit rules
Basic audit rules
Watches on log and configuration files
Monitoring the system objects using system calls
Monitoring security configuration files
Filtering system call arguments
Audit subsystem - How does it works
An audit event record