Chapter 19: Auditing
Afterwards, a log message is formatted withaudit_log_format, and finally the audit log is closed with
audit_log_endand the message is queued for transmission to the audit daemon.Audit Start
To start auditing,audit_log_startneeds to be called. The associated code flow diagram can be seen in
Figure 19-5.audit_log_startConsider backlog and rate limitaudit_buffer_allocaudit_get_stampaudit_log_formatFigure 19-5: Code flow diagram for
audit_log_start.Basically, the job ofaudit_log_startis to set up an instance ofaudit_bufferand return it to the caller;
but before this, the backlog limit and rate limit need to be considered.The maximal length of the backlog queue (i.e., thequeue where the finished audit records are stored)
is given by the global variableaudit_backlog_limit.Ifthisnumberissurpassed,^5 audit_log_start
schedules a timeout and retries the operation afterward, hoping that the backlog has been reduced in the
meantime. Additionally, a rate check ensures that not more than a certain number of messages are sent
per second. The global variableaudit_rate_limit) determines the maximal frequency. If this frequency
is surpassed, a message that indicates this conditionis sent to the daemon and allocation is aborted. These
measures are necessary to avoid denial-of-service attacks, and to provide protection against audit events
that occur with too-high frequency.If backlog and rate limits allow the creation of new audit buffers,audit_buffer_allocis used to do
what its name says — allocate anaudit_bufferinstance. Before the buffer is returned to the caller,
audit_get_stampprovides a unique serial number, and an initial log message that contains the creation
time and the serial number is written to the buffer.Writing Log Messages
audit_log_formatis used to write a log message into a given audit buffer. The prototype of the function
is as follows:kernel/audit.c
void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)As the prototype suggests,audit_log_formatis — more or less — a variant ofprintk. The format string
given infmtis evaluated and filled in with the parameters given by theva_argslist, and the resulting
string is written into the data space of the socket buffer associated with the audit buffer.(^5) Note that audit records that are allocatedwithoutthe__GFP_WAITflag are considered more urgent. The backlog length threshold
at which they are prevented from being created is higher than for other allocation types.
