Audlib: A Configurable, High-fidelity Application Audit Mechanism
Abstract
In this paper, we introduce Audlib, an extendable tool for generating security-relevant information on Unix systems. Audlib is a wrapper environment that generates application level audit information from existing executable programs. Audlib is not a detection system, instead it is designed to supplement existing audit systems and work transparently with them. Audlib records information that is not presently available from existing kernel-level audit sources. Here, we describe the design of the Audlib framework and the information it provides. We compare auditing the actions of a web server with Audlib to existing kernel audit sources and show that we have 2-4 times the throughput of Linux auditd and less than half the performance overhead of Solaris BSM while collecting detailed information about the server's execution. Although Audlib is focused on recording security information, this technique can be used to collect data for a wide variety of purposes including profiling, dependency analysis, and debugging. Copyright
Repository Citation
Kuperman, Benjamin A., and Eugene H. Spafford. 2010. "Audlib: A Configurable, High-fidelity Application Audit Mechanism." Software-practice & Experience 40(11): 989-1005.
Publisher
John Wiley & Sons
Publication Date
10-1-2010
Publication Title
Software-practice & Experience
Department
Computer Science
Document Type
Article
DOI
https://dx.doi.org/10.1002/spe.983
Keywords
Audit systems, Computer security monitoring, Attack detection, Intrusion detection, Misuse detection
Language
English
Format
text
