Re: Mapping of Audit rule to Record Type Generated + chmod log query
On Tuesday, January 11, 2022 1:37:18 AM EST Rohit wrote:
Hello Steve,
Thank you, that's very helpful.
> The compound events always have a syscall event, but as to the auxiliary
records,
it really depends on the path the syscall takes through the kernel. Various
places are hooked and collect information
Would you have any reference links that would help me understand where
these hooks that collect information are placed?
They start somewhere in this general area:
https://elixir.bootlin.com/linux/latest/source/include/linux/audit.h#L330
There are many hooks. The auxiliary record types are in the 1300 block:
https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/audit.h...
The one exception is AUDIT_REPLACE which was mistakenly placed in this block.
It should have been in the 1000 block.
-Steve