Skip to Main Content
As a very important component of secure operating system, auditing subsystem has been playing a key role in monitoring the system, insuring proper implementing of security policy, and building intrusion detection systems. The original Linux audit mechanism based on applications has inherent flaws, and should be improved. This paper presents the design and implementation of a secure auditing system in Linux kernel. This system implements the function of auditing in kernel based on loadable kernel modules (LKM), and applies a new system call hijacking method based on duplicating interrupt descriptor table (IDT). In addition, this system can collect comprehensive information in kernel, provide flexible configuration of auditing and take effective measures to protect the security of auditing system itself. Keywords: audit; loadable kernel modules; interrupt descriptor table.