Chapter 19: Auditing
describes the relationship between them (refer to Section 19.3.1 for more information on how to transmit
audit rules to the kernel):
kernel/auditsc.c
switch (rule->action) {
case AUDIT_NEVER: *state = AUDIT_DISABLED; break;
case AUDIT_ALWAYS: *state = AUDIT_RECORD_CONTEXT; break;
}Auxiliary data can be attached to anaudit_contextinstance with the help ofaudit_context->aux.The
kernel employs the following data structure:
kernel/auditsc.c
struct audit_aux_data {
struct audit_aux_data *next;
int type;
};nextimplements a single linked list ofaux_datainstances, andtypedenotes the type of auxiliary data.
The purpose ofaudit_aux_datais to be embedded into a higher-level data structure that provides the
actual data. To illustrate this with an example, the following excerpt shows how audit information for
IPC objects is stored:
kernel/auditsc.c
struct audit_aux_data_ipcctl {
struct audit_aux_data d;
struct ipc_perm p;
unsigned long qbytes;
uid_t uid;
gid_t gid;
mode_t mode;
u32 osid;
};Note that astruct audit_aux_datais located at the very beginning ofaudit_aux_data_ipc;thereal
payload follows afterward. This allows for using generic methods for list traversal and manipulation.
Typecasts to the specific data type reveal the proper information.
Currently, the kernel defines auxiliary data structures for numerous object types:
❑ audit_aux_data_ipcctl(for auxiliary objects of typeAUDIT_IPCandAUDIT_IPC_SET_PERM)
❑ audit_aux_data_socketcall(typeAUDIT_SOCKETCALL)
❑ audit_aux_data_sockaddr(typeAUDIT_SOCKADDR)
❑ audit_aux_data_datapath(typeAUDIT_AVC_PATH)
❑ audit_aux_data_data_execve(typeAUDIT_EXECVE)
❑ audit_aux_data_mq_{open,sendrewcv,notify,getsetattr}(types
AUDIT_MQ_{OPEN,SENDRECV,NOTIFY,GETSETATTR})
❑ audit_aux_data_fd_pair(typeAUDIT_FD_PAIR)