Where can I find documentation regarding the underlying audit subsystem within the Linux kernel? Specifically, the protocol docs for NETLINK_AUDIT, so that I may query the subsystem from any sort of language that supports NETLINK socket communication.
Does such documentation even exist? If not, could somebody provide me with samples or a basic idea/flow of how it all works? I'd be willing to write it all down for public viewing if it hasn't yet been done and if someone can get me started. Thanks, Azrael -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
