Audit Subsystem Documentation
Steve Grubb
sgrubb at redhat.com
Thu Sep 28 20:25:23 UTC 2006
On Wednesday 27 September 2006 16:57, Azrael wrote:
> Where can I find documentation regarding the underlying audit subsystem
> within the Linux kernel?
Not sure if there is much docs publicly available. Not because we don't want
it, but very little developer time.
> Specifically, the protocol docs for NETLINK_AUDIT, so that I may query the
> subsystem from any sort of language that supports NETLINK socket
> communication.
There's not really a protocol per-se, you send a command and expect a
response. But you always get something back. The commands are in
linux/audit.h header file. Aside from that, you'd probably just want to look
at libaudit source code.
> Does such documentation even exist?
Not really.
> If not, could somebody provide me with samples or a basic idea/flow of how
> it all works?
auditctl.c + libaudit pretty much shows it.
> I'd be willing to write it all down for public viewing if it hasn't yet been
> done and if someone can get me started.
That would be nice. We would like some docs available, but are short for time.
-Steve
More information about the Linux-audit
mailing list