Chapter 19: Auditing
Most elements of the data structure are concisely described by their accompanying comments, and the
undocumented entries are as follows:❑ statedenotes the activity level of auditing. The possible states are given byaudit_state,
namely:AUDIT_DISABLED(no system call recording),AUDIT_BUILD_CONTEXT(create an audit
context and always fill in system call data at system call entry), andAUDIT_RECORD_CONTEXT
(create an audit context, always fill in data at system call entry, and always write the audit
record at system call exit).^2
AUDIT_DISABLEDonly makes sense when system call auditing was active at some time, but has
been stopped. If no auditing has been performed yet, then noaudit_contextis allocated and no
stateis required.
❑ namesenables you to store the data of up toAUDIT_NAMES(usually set to 20) filesystem objects
(the precise contents of this structure will be defined in a moment).name_countrecords how
many of the available slots are presently in use.
❑ audit_aux_dataallows for storing auxiliary data in addition to the audit context (the associ-
ated data structure is also described in a moment.) Althoughauxis for general use,aux_pids
is employed to register the PIDs of processes that received a signal from a system call that was
audited.Fields likepid,sgid,personality, and so on that are defined at the end of the structure reflect their
counterparts intask_struct. They are used to copy values from a given instance oftask_structso that
they are available without needing to hold a reference to thetask_struct.The need to store information about filesystem objects arises when system calls are being audited. The
following data structure provides a means to store this information:kernel/auditsc.c
struct audit_names {
const char *name;
int name_len; /* number of name’s characters to log */
unsigned long ino;
dev_t dev;
umode_t mode;
uid_t uid;
gid_t gid;
dev_t rdev;
u32 osid;
};The members describe the usual properties of filesystem objects, so this section does not bother with the
details. The arraynamesfromstruct audit_contextallows up toAUDIT_NAMES(usually set to 20) to
be stored.The current audit state of a process is stored in thestatefield ofaudit_context. The kernel defines
audit rules that facilitate switching between different audit modes. The names of the actions, however,
differ from the constants used forstate. The following excerpt from the rule processing state machine(^2) Another alternative (AUDIT_SETUP_CONTEXT) can also be found in the definition ofenum audit_state, but it is currently
unused.