Overview
Audlib is an extensible tool for generating security-relevant application level audit data on Unix systems. Audlib is designed to supplement existing audit systems and work transparently with them by providing information not normally accessible to kernel level audit sources. This is accomplished using a technique called library interposition. Interposition allows the generation of audit data without needing to recompile either the system libraries or the application of interest. This allows us to generate audit data without changing the system shared libraries or needing access to the source code for the executable on which the interposition is to be performed.
Design
The current version of Audlib consists of three interposable libraries, each of which is focused on producing information relevant to a particular class of security event. These three categories are attacks, intrusions, and computer misuse.
- Attacks - Attacks are attempts to exploit a vulnerability in a computer system. These include buffer overflow attacks, format string attacks, and race conditions. For each type of attack, Audlib logs data, like the size, address, and payload of the source buffer, which is not available from typical kernel level audit sources.
- Intrusion - To detect intrusions, Audlib provides information for detection systems which use command sequences to determine when an impostor is masquerading as a legitimate user. Additionally, Audlib augments the record with information that can be used for basic anomalous behavior detection.
- Computer Misuse - In addition to potential misuse activities that kernel level audit systems might be able to supply information about, Audlib also logs every read() and write() request made by the target program. This allows a very fine-grained level of monitoring where detection is performed based on which portions of a file were accessed.
Download
This is the source code to Audlib and the log reader. We currently do not supply any precompiled binaries. Audlib was developed under GNU/Linux with a recent version of the GCC compiler.
- Zip file (build #389)
- GZipped tar file (build #389)
Papers and related projects
Papers about Audlib
- Benjamin A. Kuperman and Eugene H. Spafford. Audlib: a configurable, high-fidelity application audit mechanism. Software: Practice and Experience, 40(11):989-1005, 2010. Available from: http://dx.doi.org/10.1002/spe.983.
- Nicholas Hatt*, Axis Sivitz*, and Benjamin A. Kuperman. Benchmarking operating systems. In Midstates Conference for Undergraduate Research in Computer Science and Mathematics, pages 63-68, November 2007. [ PDF | bib ]
- Benjamin A. Kuperman. A Categorization of Computer Security Monitoring Systems and the Impact on the Design of Audit Sources. PhD thesis, Purdue University, West Lafayette, IN 47907-1398, August 2004. [ PDF | bib ]
- Benjamin A. Kuperman and Eugene Spafford. Generation of Application Level Data via Library Interposition. Technical Report CERIAS TR 1999-11, COAST Laboratory, Purdue University, West Lafayette, IN, October 1999. [ PDF | bib ]
Spinoff projects
Trackle is an integrated system for tracking trouble tickets and the changes needed to resolve them. This system is designed to be used in a training environment where new admins are hired without necessarily being experts, but allow them to learn from past instances of similar problems.
This system used Audlib's misuse audit data generation library as the basis for its own file change tracking system.
- Daniel S. Crosta*, Matthew J. Singleton*, and Benjamin A. Kuperman. Fighting Institutional Memory Loss: The Trackle Integrated Issue and Solution Tracking System. In Proceedings of LISA '06: 20th Large Installation System Administration Conference, pages 287-298, Washington, DC, December 2006. USENIX Association. [ PDF | bib | LISA '06]
- Project website: http://www.sccs.swarthmore.edu/org/trackle/
