Thursday, January 12, 2012

New Funded Project: Implementing auditdistd daemon

The FreeBSD Foundation is pleased to announce that Pawel Jakub Dawidek has been awarded a grant to implement the auditdistd daemon.

The FreeBSD audit facility provides fine-grained, configurable logging of security-relevant events.  One of the key purposes of logging security events is postmortem analysis in case of system compromise. Currently the kernel can push audit records directly into a file or make them available through the /dev/auditpipe device.  Because audit logs are stored locally by the kernel, an attacker has access to them once the system is compromised, which enables him to remove trails of his activity.

The goal of the auditdistd project is to securely and reliably distribute audit records over the TCP/IP network from a local auditdistd daemon to a remote auditdistd daemon. In case of source system compromise, the attacker's activity can be analysed using data collected by the remote system, as only the remote system's audit logs can still be trusted.

The project will conclude in February 2012.

1 comment:

  1. Sounds like a brilliant program to me.
    Is it made in such a way that the monitored
    system can't know it is being monitored, so
    the attacker cannot block the communication
    between the two? (e.g. in the way ssh can
    issue a command on a remote system and catch
    the results)