Chapter 19: Auditing
audit_filter_listAudit databaseaudit_contexttask_structauxstruct audit_contextaudit_aux_dataFigure 19-2: Data structures used by the audit mechanism.Note thataudit_contextmay well be aNULLpointer. This is because an instance ofaudit_context
is allocated only if system call auditing is requested for a specific process. If no auditing is to be
performed, it is unnecessary to expend memory on a superfluous data structure. The definition of
struct audit_contextis as follows:
kernel/auditsc.c
/* The per-task audit context. */
struct audit_context {
int in_syscall; /* 1 if task is in a syscall */
enum audit_state state;
unsigned int serial; /* serial number for record */
struct timespec ctime; /* time of syscall entry */
uid_t loginuid; /* login uid (identity) */
int major; /* syscall number */
unsigned long argv[4]; /* syscall arguments */
int return_valid; /* return code is valid */
long return_code;/* syscall return code */
int auditable; /* 1 if record should be written */
int name_count;
struct audit_names names[AUDIT_NAMES];
char * filterkey; /* key for rule that triggered record */
struct dentry * pwd;
struct vfsmount * pwdmnt;
struct audit_context *previous; /* For nested syscalls */
struct audit_aux_data *aux;
struct audit_aux_data *aux_pids;/* Save things to print about task_struct */
pid_t pid;
uid_t uid, euid, suid, fsuid;
gid_t gid, egid, sgid, fsgid;
unsigned long personality;
int arch;
...
};