Chapter 19: Auditing
to store auxiliary data — this is used by several system calls. Since the method to realize this is nearly
identical for all cases, onlysys_socketcallis shown as an example here. The following hook function is
used to allocate and fill in the auxiliary data:kernel/auditsc.c
int audit_socketcall(int nargs, unsigned long *args)
{
struct audit_aux_data_socketcall *ax;
struct audit_context *context = current->audit_context;if (likely(!context || context->dummy))
return 0;ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL);
...ax->nargs = nargs;
memcpy(ax->args, args, nargs * sizeof(unsigned long));ax->d.type = AUDIT_SOCKETCALL;
ax->d.next = context->aux;
context->aux = (void *)ax;
return 0;
}If auditing system calls is disabled, then no audit context is allocated, so the routine can exit immediately.
Otherwise, an auxiliary context is added to the audit context.Every timesys_socketcallis invoked, it callsaudit_socketcallas follows:net/socket.c
asmlinkage long sys_socketcall(int call, unsigned long __user *args)
{
...
err = audit_socketcall(nargs[call]/sizeof(unsigned long), a);
...
}The remaining parts ofsys_socketcallcan use the auxiliary context to store specific socket-related
information that will be passed to the audit userspace tools.19.4 Summary
Observing what is going on inside a system is interesting for a number of reasons, and this chapter
introduced you to one particular solution providedby the kernel for this purpose: Auditing is a low-
overhead mechanism that can be employed on stableproduction systems to obtain a comprehensive
set of information without impacting system performance too much. After introducing audit rules that
allow you to specify which information is interesting, the chapter discussed how the kernel gathers the
corresponding data and forwards it to userland.