Table of Contents
Advertisement
Figure 5-69: Audit framework components
5.6.1.1
Audit kernel components
Linux Audit of the SLES kernel includes three kernel-side components relating to the audit functionality. The
first component is a generic mechanism for creating audit records and communicating with user space. The
communication is achieved via netlink socket interface. Netlink enables the transfer of information between
kernel modules and user-space processes. It provides kernel-user space bidirectional communication links.
Linux Audit consists of a standard sockets-based interface for user processes and an internal kernel API for
kernel modules.
5.6.1.1.1
Kernel-userspace interface
On top of netlink, there exists the generic netlink family that provides simplified access for less demanding
users. This introduces a control for ID management and name resolution, and possesses a new type of safety
interface for netlink messages and attributes handling. This interface also features simplified message
constructing, validation capabilities, and documentation.
This first component also receives user-space commands to control the operation of the audit framework and
to set the audit filter rules and file system watch points.
132
Advertisement
Table of Contents
