Event Description

LAF audit events

Execution of the test of the underlying machine

Audit message from amtu utility: audit record

and the result of the test

type: USER.

Changes to system time

Syscall settimeofday, adjtimex

Setting up a trusted channel

Sycall exec (of stunnel program)

Table 5-4: Audit Subsystem event codes

 

5.6.4Audit tools

In addition to the main components, the user level provides a search utility, ausearch, and a trace utility, autrace. While ausearch finds audit records based on different criteria from the audit log, autrace audit all syscalls issued by the process being traced. The man pages for these two utilities detail all the options that can be used for each. In this section we briefly describe how they operate.

5.6.4.1auditctl

The auditctl command configures and examines the kernel audit subsystem. It allows the setting of syscall rules, file watches, various audit characteristics, and the sending of userspace messages. It communicates with the kernel using the netlink socket interface via the audit library. For more information on auditctl, please see the auditctl(8) man page. Use of auditctl is restricted in the TOE to administrative users.

5.6.4.2ausearch

Only root has the ability to run this tool. First ausearch checks the validity of the parameters passed, whether they are supported or not. Then it opens either the logs or the administrator-specified files. The logs’ location is extracted from the /etc/auditd.conf. After that, ausearch starts to process the records, one record at a time, matching the parameters passed to it. Each audit record can be written into the log as multiple file records. The tool collates all the file records into a linked list before it checks whether the record matches the requested search criteria. For more information on ausearch, please see the ausearch(8) man page.

5.6.5Login uid association

The pam_loginuid.so module writes the login uid of the process that was authenticated to the /proc system (/proc/session id/loginuid). The loginuid file is only writable by root and readable by everyone. The /proc file system triggers the kernel function audit_set_loginuid() to set the login uid for the user in the audit context. From then on, this login uid is maintained throughout the session to trace back all operations done in the session to exactly the login user.

5.7Kernel modules

Kernel modules are pieces of object code that can be linked to, and unlinked from, the kernel at runtime. Kernel modules usually consist of a set of functions that implement a file system, a device driver, or other functions at the kernel’s upper layer.

146

Page 157 Page 159
Page 158
Image 158
IBM 10 SP1 EAL4 manual Audit tools, Login uid association, Kernel modules, Auditctl, Ausearch
Page 157 Page 159
Top Page Image Contents