On Thursday, March 9, 2023 5:52:28 PM EST Bruce Elrick wrote: > Anyway, I think I need to spend some time playing until that "aha!" > moment comes. It's feels a lot closer thanks to both of your responses > and I really apprecaite the time you've taken to read my emails and > respond to them.
There are simple events which are one line and compound events which are multiple lines - called records. The simple events tend to be hardwired and not optional. For example, logins are hardwired; kernel config changes are hardwired; authentication is hardwired. The compound events tend to be related to audit rules (but not always). When the rule triggers, the syscall triggering the recording travels around different parts of the kernel. As it does so, there is code that observes and records different attributes of what it's doing. It may record the path, the socket, the command line, arguments of the syscall, etc. Then when the syscall finishes, the different observations are lumped together with the same serial number and output to the audit daemon. The events originating from a rule can optionally have a key. This is to allow grouping of multiple rules that meet the same requirement. Simple events never have a key. There are a couple presentations here that may help understand the audit system: https://people.redhat.com/sgrubb/audit/ -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
