Secure Auditing for Linux
General Information
  Project Status

Site Hosted By:

More Information
  Project Home Page
  Mailing List

About the Project

Secure Auditing for Linux is a research project funded by the Defense Advanced Research Projects Agency (DARPA).  The project will develop a kernel level auditing package for Red Hat Linux that is compliant with the Common Criteria specifications (C2 level equivalency) and provides features to protect logged information from unauthorized modification through the use of encryption techniques.


 According to the Guidance and Policy for the Department of Defense (DoD) Global Information Grid (GIG) Information Assurance (IA) document, it is DoD policy that the DoD defense in depth strategy will provide appropriate degrees of protection to all computing environments (i.e. hosts and applications).  Also according to the DoD Guidance and Policy document, GIG information systems will be monitored in order to detect, isolate, and react to intrusions, disruption of services, or other incidents that threaten the security of DoD.  It is also required that there be a way to collect and retain audit data to support forensics relating to misuse, penetration, reconstruction, or other investigations.  It is well known that the current auditing capabilities of Linux do not satisfy C2 specifications.  NSA, developing Security Enhanced Linux, has identified auditing as an area that requires improvement.  According to the GIG IA document, all GIG information systems and networks will be certified and accredited in accordance with the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP).  

During a forensics investigation, law enforcement will often rely on audit and transaction logs as a source of evidence.  However, they must also be able to prove that a malicious person has not altered those logs.  Section 69 of the Police and Criminal Evidence Act 1984 states that logs produced by a computer are not admissible as evidence unless it can be shown that there is no reasonable ground for believing them to be inaccurate and the computer was operating properly during the collection of data.  If it can be shown that the logs could and may have been tampered with, they are not admissible as evidence.  Forensics investigators can have minimum assurance on logs that maintain date/time stamps and checksums.  According to the DoD GIG IA document, systems must “collect and retain audit data to support forensics relating to misuse, penetration reconstruction, or other investigations.”

From the DoD and law enforcement perspective, audit logs are not only a necessity, but also a requirement to provide a secure open-source operating environment.This project will create a kernel-level auditing facility that not only monitors all processes and records events, but also provides a way to store the data that would allow it to be admissible in a court of law (i.e. encrypted, cryptographic checksum, exporting to a serial device, etc). We believe this capability would be a benefit not only to law enforcement, but also to all of DoD in support of the GIG information assurance objectives.

Points of Contact

The points of contact for the project are Wiliam Wolfe ( and Javier Godinez ( of Space and Naval Warfare Systems Center, San Diego.

This site is hosted at SourceForge, a free hosting service for Open Source software development.

Last updated on February, 2003 by Javier Godinez