audit-userspace
Linux Audit is a kernel-level system for recording and distributing security audit events on Linux systems. It intercepts system calls and logs detailed information about who performed what actions, meeting compliance requirements like PCI-DSS and Common Criteria.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | linux-audit/audit-userspace |
| Owner | linux-audit |
| Primary language | C |
| License | GPL-2.0 — OSI-approved |
| Stars | 717 |
| Forks | 237 |
| Open issues | 12 |
| Latest release | v4.1.4 (2026-03-23) |
| Last updated | 2026-07-07 |
| Source | https://github.com/linux-audit/audit-userspace |
What audit-userspace is
The audit framework captures syscall events via kernel integration and delivers them through the auditd daemon, which writes to disk and distributes events in real-time to audisp plugins. It requires kernel >= 5.15 and provides language bindings for Python and Go, with support for remote logging via Kerberos and LDAP.
Get the audit-userspace source
Clone the repository and explore it locally.
git clone https://github.com/linux-audit/audit-userspace.gitcd audit-userspace# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires kernel >= 5.15; verify kernel version and audit subsystem availability before deployment.
- Disk partitioning best practice: dedicate /var/log/audit partition to prevent audit logs from being evicted by unrelated system activity; size based on retention policy and event volume.
- Rule complexity increases with compliance scope; pre-written sample rules in /usr/share/audit-rules/ provide templates but require customization and testing for your threat model.
- systemctl compliance gap: using systemctl to stop/start auditd breaks FAU_GEN1.1 login uid tracking; must use legacy service command for standards-compliant audit trail of daemon control.
- Systemd hardening trade-off: 'systemd-analyze security' suggestions may place auditd in namespaces, breaking rule triggering and database access; auditd.service file is pre-tuned for functionality, not maximum isolation.
When to avoid it — and what to weigh
- Minimal Logging Environments — High performance requirements with minimal logging overhead. Audit has non-negligible syscall interception cost; lighter alternatives may be preferable for throughput-critical systems.
- Unsupported Architectures — Project explicitly has a moratorium on new platform support. If you require an unsupported CPU architecture beyond the documented list (x86_64, ARM, AARCH64, PPC, riscv, s390), contributions will be marked 'wont_fix'.
- Simple File-Level Monitoring Only — If you only need basic file integrity checking or log rotation, lightweight tools like auditbeat, osquery, or native file watchers may be simpler without the syscall overhead and rule complexity.
- Non-Linux Systems — Project is Linux-specific; no ports to Windows, BSD, or other Unix variants are available or planned.
License & commercial use
GPL-2.0 (GNU General Public License v2.0). GPLv2 is a reciprocal open-source license requiring derivative works to be licensed under GPLv2 and source code be available.
Commercial use of unmodified audit-userspace binaries is permitted under GPLv2. However, if you modify the source code for internal use or distribute modified versions, you must disclose source and license modifications under GPLv2. Redistribution of modified versions in proprietary products requires legal review. Use by commercial vendors for system monitoring on customer machines requires compliance with GPLv2 terms.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Good |
| Assessment confidence | High |
Audit-userspace runs as root and has direct kernel integration; its compromise enables audit log tampering and evasion of security controls. Deployment security depends on: (1) partition isolation to prevent log fill attacks, (2) careful rule design to avoid rules that create denial-of-service via excessive logging, (3) access control on /etc/audit/ rules and /var/log/audit/ files, (4) systemd configuration review for namespace/privilege constraints. Kernel-level audit support is required; older kernels may have bypass paths. Not a replacement for kernel-level MAC (SELinux/AppArmor) but complementary.
Alternatives to consider
auditbeat (Elastic)
Lightweight, agent-based syscall/file monitoring with Elasticsearch backend; simpler rules, easier remote forwarding, lower overhead than full audit framework.
osquery
Host monitoring via SQL-like queries; broader system visibility (processes, network, users) but lighter syscall tracing; better for threat hunting than deep compliance audit.
eBPF-based monitoring (Falco, tracee)
Modern kernel-level event capture without auditd overhead; simpler rule syntax, real-time alerting, good for cloud-native environments but less standardized for compliance.
Build on audit-userspace with DEV.co software developers
Linux Audit is essential for regulatory compliance but requires careful deployment planning. Assess kernel version, disk partitioning, rule complexity, and systemd integration needs. Review the mail list and sample rules before committing to production.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
audit-userspace FAQ
Can I use systemctl to start/stop auditd and remain compliant with security standards?
What happens if the audit partition fills up?
Can I cross-compile audit-userspace for an embedded device?
Does audit-userspace support my CPU architecture?
Software developers & web developers for hire
DEV.co helps companies turn open-source tools like audit-userspace into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source observability stack.
Evaluate Linux Audit for Your Compliance Stack
Linux Audit is essential for regulatory compliance but requires careful deployment planning. Assess kernel version, disk partitioning, rule complexity, and systemd integration needs. Review the mail list and sample rules before committing to production.