audit_get_features(3) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | SEE ALSO | AUTHOR | COLOPHON

AUDIT_GET_FEATURES(3)        Linux Audit API        AUDIT_GET_FEATURES(3)

NAME         top

       audit_get_features, audit_set_feature - query or change kernel
       audit features

SYNOPSIS         top

       #include <libaudit.h>

       uint32_t audit_get_features(void);
       int audit_set_feature(int fd, unsigned feature, unsigned value,
       unsigned lock);"

DESCRIPTION         top

       audit_get_features() returns a bitmap describing which kernel
       audit features are supported.  The bitmap is cached internally and
       retrieved from the kernel on the first call.

       audit_set_feature() changes a feature bit for the kernel using the
       descriptor fd which must be an open audit netlink socket.  feature
       selects the bit to modify.  If value is nonzero the feature is
       enabled, otherwise it is disabled.  If lock is nonzero the feature
       setting is locked until reboot.

       The feature bits currently defined are:

       AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT
              Kernel supports changing the backlog queue depth.

       AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME
              Kernel supports delaying syscalls when the queue is full.

       AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
              Kernel will include the executable path on EXECVE records.

       AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
              Exclude rules may be used with more fields than just
              message type.

       AUDIT_FEATURE_BITMAP_SESSIONID_FILTER
              Session identifier filtering is supported.

       AUDIT_FEATURE_BITMAP_LOST_RESET
              Allows resetting the lost event counter.

       AUDIT_FEATURE_BITMAP_FILTER_FS
              Kernel supports file system field filtering.

RETURN VALUE         top

       audit_get_features returns the feature bitmap or 0 if feature
       queries are unsupported.  audit_set_feature returns <= 0 on error,
       otherwise it is the netlink sequence id number.

SEE ALSO         top

       audit_request_features(3), audit_reset_lost(3), audit_open(3).

AUTHOR         top

       Steve Grubb

COLOPHON         top

       This page is part of the audit (Linux Audit) project.  Information
       about the project can be found at 
       ⟨http://people.redhat.com/sgrubb/audit/⟩.  If you have a bug report
       for this manual page, send it to [email protected].  This
       page was obtained from the project's upstream Git repository
       ⟨https://github.com/linux-audit/audit-userspace.git⟩ on
       2025-08-11.  (At that time, the date of the most recent commit
       that was found in the repository was 2025-08-09.)  If you discover
       any rendering problems in this HTML version of the page, or you
       believe there is a better or more up-to-date source for the page,
       or you have corrections or improvements to the information in this
       COLOPHON (which is not part of the original manual page), send a
       mail to [email protected]

Red Hat                         July 2025           AUDIT_GET_FEATURES(3)

Pages that refer to this page: audit_request_features(3)audit_reset_lost(3)audit_set_loginuid_immutable(3)