Audlib - security wrapper to generate audit information


Audlib is an extensible tool for generating security-relevant application level audit data on Unix systems. Audlib is designed to supplement existing audit systems and work transparently with them by providing information not normally accessible to kernel level audit sources. This is accomplished using a technique called library interposition. Interposition allows the generation of audit data without needing to recompile either the system libraries or the application of interest. This allows us to generate audit data without changing the system shared libraries or needing access to the source code for the executable on which the interposition is to be performed.


The current version of Audlib consists of three interposable libraries, each of which is focused on producing information relevant to a particular class of security event. These three categories are attacks, intrusions, and computer misuse.


This is the source code to Audlib and the log reader. We currently do not supply any precompiled binaries. Audlib was developed under GNU/Linux with a recent version of the GCC compiler.

Papers and related projects

Papers about Audlib

Spinoff projects

Trackle is an integrated system for tracking trouble tickets and the changes needed to resolve them. This system is designed to be used in a training environment where new admins are hired without necessarily being experts, but allow them to learn from past instances of similar problems.

This system used Audlib's misuse audit data generation library as the basis for its own file change tracking system.