When a filesystem object the audit subsystem is watching changes, the inotify subsystem calls the

audit_handle_event() function. audit_handle_event() in turn updates the audit subsystem's watch data for the watched entity. This process is detailed in Section 5.6.3.1.3.

5.6.1.3User space audit components

The main user level audit components consist of a daemon (auditd), a control program (auditctl), a library (libaudit), a configuration file (auditd.conf), and an initial setup file (auditd.rules). There is also an init script that is used to start and stop auditd, /etc/init.d/auditd. When run, this script sources another file, /etc/sysconfig/auditd, to set the locale, and to set the variable AUDIT_CLEAN_STOP, which controls whether to delete the watch points and the filter rules when auditd stops.

On startup, auditd reads the configuration file to set the various configuration options that pertain to the daemon. Then, the auditd reads the auditd.rules to set the initial rules. The auditd.conf man page describes all the configurable options, and the auditctl man page lists all the supported control options.

136

Page 148
Image 148
IBM 10 SP1 EAL4 manual User space audit components