Comprehensive Documentation on the Linux Audit Framework
Steve Grubb
sgrubb at redhat.com
Mon Jun 5 21:28:10 UTC 2023
On Monday, June 5, 2023 6:17:28 PM EDT Vincent Abraham wrote:
> Greetings,
> Could anyone point me to a source for comprehensive documentation for the
> Linux audit framework? I want to know how the framework interacts with the
> kernel to retrieve log information.
If you look at the README page of the userspace portion of code, it mentions
that there is a netlink api. It simply listens and writes what it finds to
disk. Auditing must be enabled and you need to set the pid in the kernel and
then listen for events. There is no extensive documentation - the code is the
documentation to the low level API.
There is also a best effort multicast netlink api that systemd-journald uses
to get events out of the kernel.
-Steve
More information about the Linux-audit
mailing list