Title

Audlib: A Configurable, High-fidelity Application Audit Mechanism

Abstract

In this paper, we introduce Audlib, an extendable tool for generating security-relevant information on Unix systems. Audlib is a wrapper environment that generates application level audit information from existing executable programs. Audlib is not a detection system, instead it is designed to supplement existing audit systems and work transparently with them. Audlib records information that is not presently available from existing kernel-level audit sources. Here, we describe the design of the Audlib framework and the information it provides. We compare auditing the actions of a web server with Audlib to existing kernel audit sources and show that we have 2-4 times the throughput of Linux auditd and less than half the performance overhead of Solaris BSM while collecting detailed information about the server's execution. Although Audlib is focused on recording security information, this technique can be used to collect data for a wide variety of purposes including profiling, dependency analysis, and debugging. Copyright

Publisher

John Wiley & Sons

Publication Date

10-1-2010

Publication Title

Software-practice & Experience

Department

Computer Science

Document Type

Article

DOI

10.1002/spe.983

Keywords

Audit systems, Computer security monitoring, Attack detection, Intrusion detection, Misuse detection

Language

English

Format

text

This document is currently not available here.

Share

COinS