On Wed, 05 Apr 2006 23:47:24 +0200, Herbert Rosmanith said: > anyway, the manpage describes how auditd/libaudit works - not how it has been > implemented/how it communicates with the kernel. > I want to know how it works "under the hood", not just how to use it. One thing that's not at all clear from casual reading of the source code of either the kernel or the userspace, or most of the existing docs... The audit facility is *very much* an after-the-fact logging - there are a few places where the code jumps through very odd hoops to deal with the fact that by the time an actual notification is generated, the entire process that triggered the event could be *gone*, completely and totally.
Attachment:
pgp0x8wONzUr3.pgp
Description: PGP signature
- References:
- Re: Q on audit, audit-syscall
- From: Herbert Rosmanith <[email protected]>
- Re: Q on audit, audit-syscall
- Prev by Date: Re: RT task scheduling
- Next by Date: Re: [patch 2.6.16-mm2 10/9] sched throttle tree extract - kill interactive task feedback loop
- Previous by thread: Re: Q on audit, audit-syscall
- Next by thread: Re: Q on audit, audit-syscall
- Index(es):
 |