Chapter 19: Auditing
Closing the Audit Log
After all necessary log messages have been written to an audit buffer,audit_log_endneeds to be called
to ensure that the audit log is sent to the userspace daemon. The code flow diagram for the function can
be found in Figure 19-6.audit_log_endPerform rate checkEnqueue socket bufferaudit_buffer_freeFigure 19-6: Code flow diagram for
audit_log_end.After performing another rate check (if messages have been submitted too frequently, then the present
message is lost and a ‘‘rate limit exceeded’’ message issent to the daemon instead), the socket buffer
associated with the audit buffer is put on a queue for later processing bykauditd:kernel/audit.c
void audit_log_end(struct audit_buffer *ab)
{
...
struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
skb_queue_tail(&audit_skb_queue, ab->skb);
ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
...
}Note that the kernel provides the convenience functionaudit_log, which can be used as an abbreviation
for the three aforementioned tasks (starting an audit log, writing messages, and ending the log). It has
the following prototype:<audit.h>
struct audit_buffer *audit_log_start(struct audit_context *ctx,
gfp_t gfp_mask, int type,
const char *fmt, ...);19.3.5 System Call Auditing
By now, all data structures and mechanisms required for system call auditing have been described, so
this section continues the description of the implementation. System call auditing is different from the
basic audit mechanism because it relies on an extension of the task structure with anaudit contextthat
was introduced in a previous section.Audit Context Allocation
First of all, you need to consider under which circumstances such contexts are allocated. Since this
is an expensive operation, it is only performed if system call auditing was explicitely enabled.