• serial: A unique number that helps identify a particular audit record. Along with ctime, it can
determine which pieces belong to the same audit record. The (timestamp, serial) tuple is unique for
each syscall and it lives from syscall entry to syscall exit.
• ctime: Time at system call entry.
• major: System call number.
• argv array: The first 4 arguments of the system call.
• name_count: Number of names. The maximum defined is 20.
• audit_names: An array of audit_names structure which holds the data copied by
getname().
• auditable: This field is set to 1 if the audit_context needs to be written on syscall exit.
• pwd: Current working directory from where the task has started.
• pwdmnt: Current working directory mount point. pwdmnt and pwd are used to set the cwd field of
FS_WATCH audit record type.
• aux: A pointer to auxiliary data structure to be used for event specific audit information.
• pid: Process id.
• arch: The machine architecture.
• personality: The OS personality number.
• Other fields: The audit context also holds the various user and group real, effective, user and file
system id’s: uid, euid, suid, fsuid, gid, egid, sgid, fsgid.
5.6.1.2 File system audit components
File system auditing is implemented using of the inotify kernel file modification notification system (Section
5.1.4). The kernel audit subsystem initialization routine audit_init() registers a vector of inotify
operations using the inotify_init() function. The operations vector contains the audit subsystem
inotify event notification function audit_handle_ievent() and the audit subsystem inotify destroy
function audit_free_parent(). The audit subsystem inotify handle is returned by a successful
audit_init() call. When audit inotify events occur, the audit_handle_event() updates audit
context inode data to reflect changes in watched file status.
When the audit subsystem receives an instruction from auditctl to set a watch on a file system object, the
audit_recieve_skb() function receives the netlink packet in the kernel. It in turn calls
audit_receive_message(), which dispatches the appropriate function based upon the operation
requested. For audit rule updates, it calls audit_receive_filter(). The
audit_receive_filter() routine calls audit_data_to_entry(), which converts the audit data
to a watch and calls audit_to_watch() to initialize the audit watch data structure, and then calls
audit_add_rule(). The audit add_rule_function() adds the inotify watch for the watch rule by
calling audit_add_watch(), which scans the list of active audit inotify watch parents and adds the parent
if it does not already exist by calling audit_init_parent(). The audit_init_parent() function
calls inotify_init_watch() and inotify_add_watch() to initialize the inotify watch and
register it with the inotify subsystem. It finally adds the watch to the parent by calling the
audit_add_to_parent() function, which associates the watch rule with the watch parent.
135