From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-audit-bounces@redhat.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 72DF3C7EE23
	for <linux-audit@archiver.kernel.org>; Mon,  5 Jun 2023 21:28:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1686000498;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=6vvGygtWpvT3NFyQQBHeu2hLJeDM0JUXbWFaMX5S9JE=;
	b=hL9EBD4shXYucq9RN+Yz73H/QwLIcUljY9XA8eTmbsSKum20wCAG5lRFXthQyW3DC0sJlU
	/6VUWsNCy/dJAra4zhvJyiBIAYROS6nhtazTLp7Fsbo4EenJudb9iXWx1z55yAI7ARxg3q
	Vp521/Ien2bWp4rre3hh29f76Gb+9gI=
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-613-ncX4e7DyPS-hMo5L3JkOvg-1; Mon, 05 Jun 2023 17:28:14 -0400
X-MC-Unique: ncX4e7DyPS-hMo5L3JkOvg-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 98C171C00B8C;
	Mon,  5 Jun 2023 21:28:13 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id F2C0E40D1B60;
	Mon,  5 Jun 2023 21:28:12 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id AB81819465A4;
	Mon,  5 Jun 2023 21:28:12 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
 [10.11.54.3])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id C666D1946595 for <linux-audit@listman.corp.redhat.com>;
 Mon,  5 Jun 2023 21:28:11 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id A457D1121315; Mon,  5 Jun 2023 21:28:11 +0000 (UTC)
Received: from x2.localnet (unknown [10.22.9.71])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id 7FEC21121314;
 Mon,  5 Jun 2023 21:28:11 +0000 (UTC)
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Comprehensive Documentation on the Linux Audit Framework
Date: Mon, 05 Jun 2023 17:28:10 -0400
Message-ID: <3244111.44csPzL39Z@x2>
Organization: Red Hat
In-Reply-To: <CAMKmEH-s9kZn5kqkjb_QHA2X02TWX+utqu365-7cRKMM7E5eVQ@mail.gmail.com>
References: <CAMKmEH-s9kZn5kqkjb_QHA2X02TWX+utqu365-7cRKMM7E5eVQ@mail.gmail.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3
X-BeenThere: linux-audit@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/linux-audit>,
 <mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/linux-audit/>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/linux-audit>,
 <mailto:linux-audit-request@redhat.com?subject=subscribe>
Cc: Vincent Abraham <vincent.ahm@gmail.com>
Errors-To: linux-audit-bounces@redhat.com
Sender: "Linux-audit" <linux-audit-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On Monday, June 5, 2023 6:17:28 PM EDT Vincent Abraham wrote:
> Greetings,
> Could anyone point me to a source for comprehensive documentation for the
> Linux audit framework? I want to know how the framework interacts with the
> kernel to retrieve log information.

If you look at the README page of the userspace portion of code, it mentions 
that there is a netlink api. It simply listens and writes what it finds to 
disk. Auditing must be enabled and you need to set the pid in the kernel and 
then listen for events. There is no extensive documentation - the code is the 
documentation to the low level API.

There is also a best effort multicast netlink api that systemd-journald uses 
to get events out of the kernel.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit