•
serial
: A unique number that helps identify a particular audit record. Along with
ctime
, it can
determine which pieces belong to the same audit record. The (timestamp, serial) tuple is unique for
each syscall and it lives from syscall entry to syscall exit.
•
ctime
: Time at system call entry.
•
major
: System call number.
•
argv array
: The first 4 arguments of the system call.
•
name_count
: Number of names. The maximum defined is 20.
•
audit_names
: An array of
audit_names
structure which holds the data copied by
getname()
.
•
auditable
: This field is set to 1 if the
audit_context
needs to be written on syscall exit.
•
pwd
: Current working directory from where the task has started.
•
pwdmnt
: Current working directory mount point.
pwdmnt
and
pwd
are used to set the
cwd
field of
FS_WATCH
audit record type.
•
aux
: A pointer to auxiliary data structure to be used for event specific audit information.
•
pid
: Process id.
•
arch
: The machine architecture.
•
personality
: The OS personality number.
•
Other fields: The audit context also holds the various user and group real, effective, user and file
system id’s: uid, euid, suid, fsuid, gid, egid, sgid, fsgid.
5.6.1.2 File system audit components
File system auditing is implemented using of the inotify kernel file modification notification system (Section
5.1.4). The kernel audit subsystem initialization routine
audit_init()
registers a vector of inotify
operations using the
inotify_init()
function. The operations vector contains the audit subsystem
inotify event notification function
audit_handle_ievent()
and the audit subsystem inotify destroy
function
audit_free_parent()
. The audit subsystem inotify handle is returned by a successful
audit_init()
call. When audit inotify events occur, the
audit_handle_event()
updates audit
context inode data to reflect changes in watched file status.
When the audit subsystem receives an instruction from
auditctl
to set a watch on a file system object, the
audit_recieve_skb()
function receives the netlink packet in the kernel. It in turn calls
audit_receive_message()
, which dispatches the appropriate function based upon the operation
requested. For audit rule updates, it calls
audit_receive_filter()
. The
audit_receive_filter()
routine calls
audit_data_to_entry()
, which converts the audit data
to a watch and calls
audit_to_watch()
to initialize the audit watch data structure, and then calls
audit_add_rule()
. The audit
add_rule_function()
adds the inotify watch for the watch rule by
calling
audit_add_watch()
, which scans the list of active audit inotify watch parents and adds the parent
if it does not already exist by calling
audit_init_parent()
. The
audit_init_parent()
function
calls
inotify_init_watch()
and
inotify_add_watch()
to initialize the inotify watch and
register it with the inotify subsystem. It finally adds the watch to the parent by calling the
audit_add_to_parent()
function, which associates the watch rule with the watch parent.
135
Содержание Novell 10 SP1 EAL4
Страница 1: ...SUSE Linux Enterprise Server 10 SP1 EAL4 High Level Design Version 1 2 1...
Страница 23: ...11...
Страница 29: ...17...
Страница 43: ...31...
Страница 54: ...42 Figure 5 8 New data blocks are allocated and initialized for an ext3 field...
Страница 117: ...105 Figure 5 48 Page Address Translation and access control...
Страница 125: ...113 Figure 5 54 31 bit Dynamic Address Translation with page table protection...
Страница 126: ...114 Figure 5 55 64 bit Dynamic Address Translation with page table protection...
Страница 172: ...160 Figure 5 79 System x SLES boot sequence...
Страница 214: ...202...
