Re: Comprehensive Documentation on the Linux Audit Framework
On Monday, June 5, 2023 6:17:28 PM EDT Vincent Abraham wrote:
Greetings,
Could anyone point me to a source for comprehensive documentation for the
Linux audit framework? I want to know how the framework interacts with the
kernel to retrieve log information.
If you look at the README page of the userspace portion of code, it mentions
that there is a netlink api. It simply listens and writes what it finds to
disk. Auditing must be enabled and you need to set the pid in the kernel and
then listen for events. There is no extensive documentation - the code is the
documentation to the low level API.
There is also a best effort multicast netlink api that systemd-journald uses
to get events out of the kernel.
-Steve