LUARM - Logging User Actions in Relational Mode
LUARM is an open source logging engine for the Linux operating system. It is designed to log in detail user activities into a simple Relational Database Management Schema (MySQL is used, although the schema could be easily converted to PostgreSQL and other popular relational databases). It is written in Perl and provides a near real-time snapshot of file access, process/program execution and network endpoint user activities organized in well-defined relational table formats. The purposes are:
To assist system administrators and data security officers in the process of detecting and preventing external and internal threats to Linux based devices.
Since the logged data are stored away from the monitored linux devices, LUARM can act as a valuable complement to existing data forensic investigation tools. This is because it is immune to the “observer effect” and the dangers of “static” forensic analysis: dynamic information about file, network and process activity is not lost and examining/logging data does not affect the source media state).
LUARM is being developed by George Magklaras at the Center for Security Communications and Network Research of the University of Plymouth, UK. It is part of a wider Insider Misuse research effort targeting insider misuse threat specification.