issuhub.com

Linux Kernel Architecture

(Jacob Rumans) #1

Chapter 19: Auditing


#define AUDIT_FILTER_WATCH 0x03 /* Apply rule to file system watches */

#define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */

#define AUDIT_FILTER_TYPE 0x05 /* Apply rule at audit_log_start */

When a rule matches, two actions (as denoted byaction)canbeperformed.AUDIT_NEVERsimply does
nothing, andAUDIT_ALWAYSgenerates an audit record.^4


If system calls are audited,maskspecifies with a bit field which system calls to include.


Field/value pairs are employed to specify conditions under which an audit rule applies. The field denotes
some quantity that identifies an object within thekernel,suchasaprocessID.Thevalueargument,
together with some comparison operators (e.g., ‘‘less than,’’ ‘‘greater than,’’ and so on), specifies which
set of values the field is allowed to possess to trigger an audit event. One particular example could be
‘‘create an audit log for all events where a process with PID 0 opens a message queue.’’ Thefieldsand
valuesarrays represent such pairs, and the operator flags are kept infieldflags.field_countdenotes
how many pairs are included in a rule. The possiblefieldsvalues are listed in<audit.h>.Thereare
quite a few of them, so this section does not document them all in detail — the documentation that
accompanies the audit userland tools provides a muchbetter reference. Usually, the constant names are
self-explanatory, as the following example demonstrates:


<audit.h>

#define AUDIT_PID 0

#define AUDIT_UID 1

#define AUDIT_EUID 2

#define AUDIT_SUID 3

...

Thevaluesarray is only used for specifying numerical values, but this is not sufficient to create rules
that are restricted to filenames and other non-numerical quantities. A string argument can therefore
be appended behindstruct audit_rule_data. It is accessible via the pseudo-arraybuf, and the string
length is denoted bybuflen.


Whilestruct audit_rule_datais employed to transmit rules from userspace to the kernel, two more
data structures are used to represent rules within the kernel itself. They are defined as follows:


kernel/audit.h

struct audit_field {

u32 type;

u32 val;

u32 op;

...

};

struct audit_krule {

int vers_ops;

u32 flags;

u32 listnr;

u32 action;

u32 mask[AUDIT_BITMASK_SIZE];

u32 buflen; /* for data alloc on list rules */

(^4) AUDIT_POSSIBLEis still listed as another alternative, but it’s deprecated and not supposed to be used any more.

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.