06-09-2017, 12:24 PM
As a very important component of the secure operating system, the audit subsystem has played a key role in monitoring the system, ensuring the correct implementation of the security policy and building intrusion detection systems. The original Linux-based audit mechanism has inherent flaws, and should be improved. This article presents the design and implementation of a secure audit system in the Linux kernel. This system implements the kernel audit function based on loadable kernel modules (LKM), and applies a new method of system call hijacking based on interrupt descriptor table (IDT) replication. In addition, this system can collect complete information in the kernel, provide flexible audit configuration and take effective measures to protect the security of the audit system itself.