IBM 10 SP1 EAL4 Server User Manual


 
Event Description LAF audit events
Execution of the test of the underlying machine
and the result of the test
Audit message from amtu utility: audit record
type: USER.
Changes to system time Syscall settimeofday, adjtimex
Setting up a trusted channel Sycall exec (of stunnel program)
Table 5-4: Audit Subsystem event codes
5.6.4 Audit tools
In addition to the main components, the user level provides a search utility, ausearch, and a trace utility,
autrace. While ausearch finds audit records based on different criteria from the audit log, autrace
audit all syscalls issued by the process being traced. The man pages for these two utilities detail all the
options that can be used for each. In this section we briefly describe how they operate.
5.6.4.1 auditctl
The auditctl command configures and examines the kernel audit subsystem. It allows the setting of
syscall rules, file watches, various audit characteristics, and the sending of userspace messages. It
communicates with the kernel using the netlink socket interface via the audit library. For more information
on auditctl, please see the auditctl(8) man page. Use of auditctl is restricted in the TOE to
administrative users.
5.6.4.2 ausearch
Only root has the ability to run this tool. First ausearch checks the validity of the parameters passed,
whether they are supported or not. Then it opens either the logs or the administrator-specified files. The logs’
location is extracted from the /etc/auditd.conf. After that, ausearch starts to process the records,
one record at a time, matching the parameters passed to it. Each audit record can be written into the log as
multiple file records. The tool collates all the file records into a linked list before it checks whether the record
matches the requested search criteria. For more information on ausearch, please see the ausearch(8)
man page.
5.6.5 Login uid association
The pam_loginuid.so module writes the login uid of the process that was authenticated to the /proc
system (/proc/session id/loginuid). The loginuid file is only writable by root and readable by
everyone. The /proc file system triggers the kernel function audit_set_loginuid() to set the login
uid for the user in the audit context. From then on, this login uid is maintained throughout the session to trace
back all operations done in the session to exactly the login user.
5.7 Kernel modules
Kernel modules are pieces of object code that can be linked to, and unlinked from, the kernel at runtime.
Kernel modules usually consist of a set of functions that implement a file system, a device driver, or other
functions at the kernel’s upper layer.
146