Port 48: Digital Audit Daemon — The First Watcher on the Network

What Port 48 Does

Port 48 is assigned to auditd, the Digital Audit Daemon. It was registered by Larry Scott of Digital Equipment Corporation (DEC) for both TCP and UDP.¹ The daemon's job was straightforward and essential: watch what happens on a machine and write it down.

But port 48 wasn't just about local logging. The audit daemon monitored a known port for data from remote cooperating audit daemons.² It could receive security audit data from other machines on the network, centralizing logs before "centralized logging" was a product category anyone was selling.

How the Digital Audit Daemon Worked

The auditd daemon on DEC's ULTRIX operating system ran as a server with three responsibilities:²

Monitor local audit data from the kernel via /dev/audit
Listen on port 48 for incoming connections from remote audit daemons
Accept commands from the system administrator via an AF_UNIX socket

When a remote audit daemon connected, the local daemon spawned a dedicated child process to handle that connection.² Multiple child daemons could run simultaneously, each servicing a different remote machine. This created a tree of watchers: one parent daemon receiving audit streams from across the network.

The daemon buffered audit data locally and flushed it to the audit log when the buffer neared capacity or when an administrator explicitly requested a flush. If the remote receiver went down, the local daemon stored data locally using configurable overflow behavior: it could switch to an alternate log, suspend auditing, overwrite the current log, or shut the system down entirely.³

Remote connections could be authenticated using Kerberos, verifying the identity of cooperating audit daemons before accepting their data.²

The Story Behind It

Digital Equipment Corporation was, for decades, the second-largest computer company in the world after IBM.⁴ They built the PDP and VAX minicomputers that powered universities and research labs. Their ULTRIX operating system was a BSD UNIX variant that ran on these machines.

In the 1980s, multi-user UNIX systems needed security auditing. When multiple people share a machine, you need to know who did what. DEC's answer was comprehensive: a kernel-level audit subsystem that could record security-relevant events, with auditd as the userspace daemon that collected and stored the data.³

The design was ahead of its time. The concept of sending audit data to a remote machine for centralized collection is exactly what modern Security Information and Event Management (SIEM) systems do. DEC built this capability into a daemon listening on port 48, with host-based access control (via /etc/sec/auditd_clients) and Kerberos authentication, before most organizations had even considered network-wide security monitoring.³

When DEC was acquired by Compaq in 1998, their ULTRIX system evolved into Tru64 UNIX (previously called Digital UNIX and OSF/1), and the audit subsystem carried forward.⁵ The concepts pioneered by DEC's audit daemon influenced the design of security auditing across UNIX-like systems for decades.

The Legacy

The modern Linux auditd is a separate implementation, but it carries the same name and serves the same purpose: recording security-relevant events at the kernel level and writing them to disk.⁶ The modern version uses configurable ports for remote logging rather than the fixed port 48, and it integrates with SELinux for mandatory access control auditing.

Port 48 itself has become quiet. Almost no modern system uses it. But the idea it carried, that machines should watch themselves and report what they see to a central authority, is now fundamental to how we secure networks. Every SIEM deployment, every centralized log aggregator, every security operations center running Splunk or Elastic is doing what auditd on port 48 did on DEC machines in the 1980s.

Security Considerations

Port 48 is not commonly targeted because it is rarely in use on modern systems. If you find something listening on port 48, it is unlikely to be the original Digital Audit Daemon. Investigate immediately:

# Check what's listening on port 48
sudo lsof -i :48
sudo ss -tlnp | grep ':48'

# On macOS
sudo lsof -iTCP:48 -sTCP:LISTEN

Any unexpected service on port 48 warrants investigation.

Port	Service	Relationship
47	(Reserved)	Previously NI FTP, de-assigned in 2017
49	TACACS	Login Host Protocol, another early authentication service
514	Syslog	The other major UNIX logging service, still widely used

Frequently Asked Questions

Port 47: The Ghost of NI FTP — A Number with Two Lives

Port 49: TACACS — The Gatekeeper of Network Infrastructure

Was this page helpful?

😔

🤨

😃