Analyzing Linux Audit Data

I thought I’d give folks a quick heads up with what I am doing, and that is bringing Linux and Windows audit data as first class citizens to my monitoring tools.

If you saw some of my old Network Radar presentations, I talked about building a flexible, object oriented library of network monitoring objects, called the Network Monitoring Framework (NMF) that can be combined or extended in different ways to build different network monitoring applications to meet different needs.

Several years ago I extracted part of the NMF and made that the NetSQ core framework.

And then I added the Audit Monitoring Framework (AMF) to allow me, like the Network Monitoring Framework, combine and extend the objects to create custom audit trail monitoring applications.

Monitoring frameworks and applications

My shipping software has focused on Mac’s BSM audit data, but I’ve also added Windows EVTX audit data to the library (Analyzing Windows EVTX Logs and Exfiltration of the Swift). This last month I started working with Linux audit data.

Each audit system has its own idiosyncrasies, so coming up with a common tool for an analyst can be somewhat challenging.

I’ve started with Audit Viewer, and here is a sneak peak of the Linux audit analysis.