* How Audit event triggers in Kernel @ 2011-01-27 12:14 Ashok Kumar J 2011-01-27 13:42 ` Steve Grubb 0 siblings, 1 reply; 2+ messages in thread From: Ashok Kumar J @ 2011-01-27 12:14 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 427 bytes --] Dear ALL, I saw the function audit_send in the netlink.c file. This function is used to send the audit rules set into kernel. My question is How Audit event triggers for system call in kernel. My second question is, After getting the reply packet from the netlink socket through the function audit_get_reply(). How the audit log format achieved for system call before storing the audit log. -- with regards Ashok Kumar J [-- Attachment #1.2: Type: text/html, Size: 484 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: How Audit event triggers in Kernel 2011-01-27 12:14 How Audit event triggers in Kernel Ashok Kumar J @ 2011-01-27 13:42 ` Steve Grubb 0 siblings, 0 replies; 2+ messages in thread From: Steve Grubb @ 2011-01-27 13:42 UTC (permalink / raw) To: linux-audit On Thursday, January 27, 2011 07:14:40 am Ashok Kumar J wrote: > I saw the function audit_send in the netlink.c file. This function is used > to send the audit rules set into kernel. My question is How Audit event > triggers for system call in kernel. The short answer id that there is a rule matcher that checks the current syscall against the list of rules. http://lxr.linux.no/#linux+v2.6.37/kernel/auditfilter.c#L657 In reality, its a little more complicated because you have to get the flow of control to this function from syscall entry and exit. http://lxr.linux.no/#linux+v2.6.37/kernel/auditsc.c#L1562 http://lxr.linux.no/#linux+v2.6.37/kernel/auditsc.c#L1674 > My second question is, After getting the reply packet from the netlink > socket through the function audit_get_reply(). How the audit log format > achieved for system call before storing the audit log. The event does not really get any substantial formatting because the audit daemon's job is to dequeue as fast as possible and get it to disk. Any display formatting can be done by search and reporting tools. But if you wanted to see it, this is the function that takes care of this for the RAW format specified in auditd.conf: https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L963 -Steve ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-01-27 13:42 UTC | newest] Thread overview: 2+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-01-27 12:14 How Audit event triggers in Kernel Ashok Kumar J 2011-01-27 13:42 ` Steve Grubb
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.