IBM 10 SP1 EAL4 Server User Manual


 
5.6.1.1.5 Audit context fields
Login ID: Login ID is the user ID of the logged-in user. It remains unchanged through the
setuid() or seteuid() system calls. Login ID is required by the Controlled Access Protection
Profile to irrefutably associate a user with that user’s actions, even across su() calls or use of setuid
binaries.
state: state represents the audit state that controls the creation of per-task audit context and
filling of system call specifics in the audit context. It can take the following values:
AUDIT_DISABLED
Do not create per-task audit_context. No
syscall specific audit records will be
generated for the task
AUDIT_SETUP_CONTEXT
Create the per task audit_context,
but don't necessarily fill it in a syscall
entry time (i.e., filter instead).
AUDIT_BUILD_CONTEXT
Create the per task audit_context,
and always fill it in at syscall entry time.
This makes a full syscall record available
if some other part of the kernel decides it
should be recorded.
AUDIT_RECORD_CONTEXT
Create the per task audit_context,
always fill it in at syscall entry time, and
always write out the audit record at
syscall exit time.
Table 5-1: Audit Context States
in_syscall: States whether the process is running in a syscall versus in an interrupt.
134
Figure 5-71: Task Structure