Chapter 19: Auditing
u32 field_count;
char *filterkey; /* ties events to rules */
struct audit_field *fields;
...
};The contents are similar tostruct audit_rule_data, except that the data types employed can be manip-
ulated and traversed in a more convenient fashion. All rules are contained in an array pointed at by
fields, and each rule is represented by an instance ofstruct audit_field.To convert between both audit rule representations, the kernel provides the auxiliary function
audit_rule_to_entry. Since the transformation is a somewhat mechanical process that does not provide
any special insights into how rules work, this section doesn’t bother to discuss the code in detail. All you
need to know here is that the routine takes an instance ofstruct audit_ruleand converts it into an
instance ofstruct audit_entry, which is a container foraudit_krule.kernel/audit.h
struct audit_entry {
struct list_head list;
struct rcu_head rcu;
struct audit_krule rule;
};This container allows for storing rules in filter lists. Six different filter lists are provided by
audit_filter_list.kernel/auditsc.c
static struct list_head audit_filter_list[AUDIT_NR_FILTERS] = {
LIST_HEAD_INIT(audit_filter_list[0]),
...
LIST_HEAD_INIT(audit_filter_list[5]),
};Each list keeps all rules that are to be applied at one of the opportunities defined by theAUDIT_FILTER_
macros.Note that new rules are added withaudit_add_rulethat is called when an appropriate request is sent
from theauditddaemon to the kernel. Since this routine is likewise rather technical and mostly uninter-
esting, this section does not cover it in detail.19.3.2 Initialization
Initialization of the audit subsystem is performed byaudit_init. In addition to setting up data struc-
tures, the function creates a netlink socket used for communication with the userland as follows:kernel/audit.c
static int __init audit_init(void)
{
...
audit_sock = netlink_kernel_create(&init_net, NETLINK_AUDIT, 0,
audit_receive, NULL, THIS_MODULE);
...
}