serial: A unique number that helps identify a particular audit record. Along with ctime, it can
•
determine which pieces belong to the same audit record. The (timestamp, serial) tuple is unique for
each syscall and it lives from syscall entry to syscall exit.
ctime: Time at system call entry.
•
major: System call number.
•
argv array: The first 4 arguments of the system call.
•
name_count: Number of names. The maximum defined is 20.
•
audit_names: An array of audit_names structure which holds the data copied by
•
getname().
auditable: This field is set to 1 if the audit_context needs to be written on syscall exit.
•
pwd: Current working directory from where the task has started.
•
pwdmnt: Current working directory mount point. pwdmnt and pwd are used to set the cwd field of
•
FS_WATCH audit record type.
aux: A pointer to auxiliary data structure to be used for event specific audit information.
•
pid: Process id.
•
arch: The machine architecture.
•
personality: The OS personality number.
•
Other fields: The audit context also holds the various user and group real, effective, user and file
•
system id's: uid, euid, suid, fsuid, gid, egid, sgid, fsgid.
5.6.1.2
File system audit components
File system auditing is implemented using of the inotify kernel file modification notification system (Section
5.1.4). The kernel audit subsystem initialization routine audit_init() registers a vector of inotify
operations using the inotify_init() function. The operations vector contains the audit subsystem
inotify event notification function audit_handle_ievent() and the audit subsystem inotify destroy
function audit_free_parent(). The audit subsystem inotify handle is returned by a successful
audit_init() call. When audit inotify events occur, the audit_handle_event() updates audit
context inode data to reflect changes in watched file status.
When the audit subsystem receives an instruction from auditctl to set a watch on a file system object, the
audit_recieve_skb() function receives the netlink packet in the kernel. It in turn calls
audit_receive_message(), which dispatches the appropriate function based upon the operation
requested. For audit rule updates, it calls audit_receive_filter(). The
audit_receive_filter() routine calls audit_data_to_entry(), which converts the audit data
to a watch and calls audit_to_watch() to initialize the audit watch data structure, and then calls
audit_add_rule(). The audit add_rule_function() adds the inotify watch for the watch rule by
calling audit_add_watch(), which scans the list of active audit inotify watch parents and adds the parent
if it does not already exist by calling audit_init_parent(). The audit_init_parent() function
calls inotify_init_watch() and inotify_add_watch() to initialize the inotify watch and
register it with the inotify subsystem. It finally adds the watch to the parent by calling the
audit_add_to_parent() function, which associates the watch rule with the watch parent.
135