DEV.co
Open-Source Observability · linux-audit

audit-userspace

Linux Audit is a kernel-level system for recording and distributing security audit events on Linux systems. It intercepts system calls and logs detailed information about who performed what actions, meeting compliance requirements like PCI-DSS and Common Criteria.

Source: GitHub — github.com/linux-audit/audit-userspace
717
GitHub stars
237
Forks
C
Primary language
GPL-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorylinux-audit/audit-userspace
Ownerlinux-audit
Primary languageC
LicenseGPL-2.0 — OSI-approved
Stars717
Forks237
Open issues12
Latest releasev4.1.4 (2026-03-23)
Last updated2026-07-07
Sourcehttps://github.com/linux-audit/audit-userspace

What audit-userspace is

The audit framework captures syscall events via kernel integration and delivers them through the auditd daemon, which writes to disk and distributes events in real-time to audisp plugins. It requires kernel >= 5.15 and provides language bindings for Python and Go, with support for remote logging via Kerberos and LDAP.

Quickstart

Get the audit-userspace source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/linux-audit/audit-userspace.gitcd audit-userspace# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Compliance and Security Standards

Meets Common Criteria, PCI-DSS, and FAU_GEN1.1 regulatory audit trail requirements by recording detailed events (subject, object, result) with proper credential tracking for compliance audit purposes.

Enterprise Threat Detection and Forensics

Provides system-wide visibility into process and file access patterns, enabling detection of suspicious activity and post-incident forensic analysis at the kernel level before userspace filtering.

Multi-User Privilege Monitoring

Tracks login context and capability changes across users with kernel-enforced accountability, critical for environments requiring auditability of administrative actions and privilege escalations.

Implementation considerations

  • Requires kernel >= 5.15; verify kernel version and audit subsystem availability before deployment.
  • Disk partitioning best practice: dedicate /var/log/audit partition to prevent audit logs from being evicted by unrelated system activity; size based on retention policy and event volume.
  • Rule complexity increases with compliance scope; pre-written sample rules in /usr/share/audit-rules/ provide templates but require customization and testing for your threat model.
  • systemctl compliance gap: using systemctl to stop/start auditd breaks FAU_GEN1.1 login uid tracking; must use legacy service command for standards-compliant audit trail of daemon control.
  • Systemd hardening trade-off: 'systemd-analyze security' suggestions may place auditd in namespaces, breaking rule triggering and database access; auditd.service file is pre-tuned for functionality, not maximum isolation.

When to avoid it — and what to weigh

  • Minimal Logging Environments — High performance requirements with minimal logging overhead. Audit has non-negligible syscall interception cost; lighter alternatives may be preferable for throughput-critical systems.
  • Unsupported Architectures — Project explicitly has a moratorium on new platform support. If you require an unsupported CPU architecture beyond the documented list (x86_64, ARM, AARCH64, PPC, riscv, s390), contributions will be marked 'wont_fix'.
  • Simple File-Level Monitoring Only — If you only need basic file integrity checking or log rotation, lightweight tools like auditbeat, osquery, or native file watchers may be simpler without the syscall overhead and rule complexity.
  • Non-Linux Systems — Project is Linux-specific; no ports to Windows, BSD, or other Unix variants are available or planned.

License & commercial use

GPL-2.0 (GNU General Public License v2.0). GPLv2 is a reciprocal open-source license requiring derivative works to be licensed under GPLv2 and source code be available.

Commercial use of unmodified audit-userspace binaries is permitted under GPLv2. However, if you modify the source code for internal use or distribute modified versions, you must disclose source and license modifications under GPLv2. Redistribution of modified versions in proprietary products requires legal review. Use by commercial vendors for system monitoring on customer machines requires compliance with GPLv2 terms.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityHigh
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Audit-userspace runs as root and has direct kernel integration; its compromise enables audit log tampering and evasion of security controls. Deployment security depends on: (1) partition isolation to prevent log fill attacks, (2) careful rule design to avoid rules that create denial-of-service via excessive logging, (3) access control on /etc/audit/ rules and /var/log/audit/ files, (4) systemd configuration review for namespace/privilege constraints. Kernel-level audit support is required; older kernels may have bypass paths. Not a replacement for kernel-level MAC (SELinux/AppArmor) but complementary.

Alternatives to consider

auditbeat (Elastic)

Lightweight, agent-based syscall/file monitoring with Elasticsearch backend; simpler rules, easier remote forwarding, lower overhead than full audit framework.

osquery

Host monitoring via SQL-like queries; broader system visibility (processes, network, users) but lighter syscall tracing; better for threat hunting than deep compliance audit.

eBPF-based monitoring (Falco, tracee)

Modern kernel-level event capture without auditd overhead; simpler rule syntax, real-time alerting, good for cloud-native environments but less standardized for compliance.

Software development agency

Build on audit-userspace with DEV.co software developers

Linux Audit is essential for regulatory compliance but requires careful deployment planning. Assess kernel version, disk partitioning, rule complexity, and systemd integration needs. Review the mail list and sample rules before committing to production.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

audit-userspace FAQ

Can I use systemctl to start/stop auditd and remain compliant with security standards?
No. systemctl uses dbus which loses login uid tracking; this breaks FAU_GEN1.1 compliance. Use the legacy service command wrapper instead. auditd.service includes RefuseManualStop=yes to enforce this.
What happens if the audit partition fills up?
The daemon emits warnings at 'space left' and 'admin space left' thresholds, but will stop accepting new events if space exhausts. Allocate a dedicated /var/log/audit partition sized to your retention policy to prevent this.
Can I cross-compile audit-userspace for an embedded device?
Cross-compilation is unsupported and undocumented. You may be able to override CC, CXX, RANLIB, AR, LD, NM during configure, but this is not tested or officially supported.
Does audit-userspace support my CPU architecture?
Supported: x86_64, i386, ARM (some versions), AARCH64, PPC, PPCLE, riscv32, riscv64, s390, s390x. New architectures will not be added due to syscall table maintenance burden.

Software developers & web developers for hire

DEV.co helps companies turn open-source tools like audit-userspace into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source observability stack.

Evaluate Linux Audit for Your Compliance Stack

Linux Audit is essential for regulatory compliance but requires careful deployment planning. Assess kernel version, disk partitioning, rule complexity, and systemd integration needs. Review the mail list and sample rules before committing to production.