serial: A unique number that helps identify a particular audit record. Along with ctime, it can determine which pieces belong to the same audit record. The (timestamp, serial) tuple is unique for each syscall and it lives from syscall entry to syscall exit.

ctime: Time at system call entry.

major: System call number.

argv array: The first 4 arguments of the system call.

name_count: Number of names. The maximum defined is 20.

audit_names: An array of audit_names structure which holds the data copied by getname().

auditable: This field is set to 1 if the audit_context needs to be written on syscall exit.

pwd: Current working directory from where the task has started.

pwdmnt: Current working directory mount point. pwdmnt and pwd are used to set the cwd field of FS_WATCH audit record type.

aux: A pointer to auxiliary data structure to be used for event specific audit information.

pid: Process id.

arch: The machine architecture.

personality: The OS personality number.

Other fields: The audit context also holds the various user and group real, effective, user and file

system id’s: uid, euid, suid, fsuid, gid, egid, sgid, fsgid.

5.6.1.2File system audit components

File system auditing is implemented using of the inotify kernel file modification notification system (Section 5.1.4). The kernel audit subsystem initialization routine audit_init() registers a vector of inotify operations using the inotify_init() function. The operations vector contains the audit subsystem inotify event notification function audit_handle_ievent() and the audit subsystem inotify destroy function audit_free_parent(). The audit subsystem inotify handle is returned by a successful audit_init() call. When audit inotify events occur, the audit_handle_event() updates audit context inode data to reflect changes in watched file status.

When the audit subsystem receives an instruction from auditctl to set a watch on a file system object, the audit_recieve_skb() function receives the netlink packet in the kernel. It in turn calls audit_receive_message(), which dispatches the appropriate function based upon the operation requested. For audit rule updates, it calls audit_receive_filter(). The audit_receive_filter() routine calls audit_data_to_entry(), which converts the audit data to a watch and calls audit_to_watch() to initialize the audit watch data structure, and then calls audit_add_rule(). The audit add_rule_function() adds the inotify watch for the watch rule by calling audit_add_watch(), which scans the list of active audit inotify watch parents and adds the parent if it does not already exist by calling audit_init_parent(). The audit_init_parent() function calls inotify_init_watch() and inotify_add_watch() to initialize the inotify watch and register it with the inotify subsystem. It finally adds the watch to the parent by calling the audit_add_to_parent() function, which associates the watch rule with the watch parent.

135

Page 147
Image 147
IBM 10 SP1 EAL4 manual File system audit components