Comprehensive Documentation on the Linux Audit Framework
Paul Moore
paul at paul-moore.com
Tue Jun 6 22:01:55 UTC 2023
On Tue, Jun 6, 2023 at 3:09 PM Steve Grubb <sgrubb at redhat.com> wrote:
> On Tuesday, June 6, 2023 6:31:55 PM EDT Vincent Abraham wrote:
> > Thanks. Could you also point to portions in the codebase where these
> > functions are called for monitoring file access?
>
> I'll let Richard or Paul point to the place in the kernel if that's
> necessary. I think there's a fundamental mismatch and it might not matter.
The audit subsystem in the Linux Kernel is currently found in the core
kernel/ directory:
% ls -1 kernel/audit*
kernel/audit.c
kernel/auditfilter.c
kernel/audit_fsnotify.c
kernel/audit.h
kernel/auditsc.c
kernel/audit_tree.c
kernel/audit_watch.c
> ... would be path, kind of access, who is accessing it, program accessing
> it, portions of se linux labeling, and a few other things.
FYI for everyone on the thread, the generally accepted way to write to
"SELinux" is as one word (no space between the "SE" and "Linux") and
with the first three letters capitalized. I know we can be a little
lazy with capitalization, I definitely am, but writing it as one word
is the important part.
--
paul-moore.com
More information about the Linux-audit
mailing list