Module netlink_audit 

Audit rule suppression / netlink audit tamper detection.

Functions

is_audit_tampered

Classify whether the kernel audit subsystem has been tampered with by comparing the expected audit daemon PID against the PID that actually owns the audit netlink socket.

scan_audit_tampering

Scan for audit subsystem tampering.