issuhub.com

Linux Kernel Architecture

(Jacob Rumans) #1

Chapter 19: Auditing


19.3 Implementation


The audit implementation belongs to the very coreof the kernel (the source is located directly inkernel/).

This stresses how much emphasis the kernel developers place on the framework. As with every code in

the core kernel directory, much care was taken to make it as compact, efficient, and clean as possible. The

code is basically distributed across three files:

❑ kernel/audit.cprovides the core audit mechanism.

❑ kernel/auditsc.cimplements system call auditing.

❑ kernel/auditfilter.ccontains means to filter audit events.

Another file,kernel/audit_tree.c, contains data structures and routines that allow auditing of com-

plete directory trees. Since a rather large amount of code is required to implement this comparatively

small benefit, for simplicity’s sake this chapter does not discuss this possibility any further.

Detailed documentation of the log format used, usage descriptions for the associated tools, and so on

can be found on the developer’s websitehttp://people.redhat.com/peterm/audit, and in the corre-

sponding manual pages. With this in mind, you can dive directly into the details of implementation in

this section!

As is the case for most parts of the kernel, understanding the data structures of the audit framework is a

big step toward understanding the implementation.

19.3.1 Data Structures


The audit mechanism uses data structures that fall into three main categories. First, processes need to be

instrumented with a per-task data structure that is especially important for system call auditing. Second,

audit events, filtering rules and so on need to be represented within the kernel. Third, a communication

mechanism with the userland utilities needs to be established.

Figure 19-2 illustrates the connection of the different data structures that form the core of the auditing

mechanism. The task structure is extended with an audit context that allows storing all data relevant

for a system call, and a database that contains all audit rules is established. The data structures used to

transfer audit data between kernel and userspace are not too interesting in this context, so they are not

included in the figure.

Extensionstotask_struct


Every process in the system is represented by an instance ofstruct task_struct, as discussed in

Chapter 2. A pointer member of the structure is used to equip a process with an audit context as follows:

<sched.h>

struct task_struct {

...

struct audit_context *audit_context;

...

}
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.