[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Auditing - Snare, LAuS, SELinux


On Wed, 2004-08-25 at 10:53, Jonathan Abbey wrote:
> On Wed, Aug 25, 2004 at 01:02:33PM +0200, Olaf Kirch wrote:
> | Hi,
> | 
> | sorry for taking so long to reply - audit has taken a back seat for the
> | past couple of weeks for me.
> Hi, Olaf.  I'm a reasonably low-level contributor to the Snare
> project.. hope you don't mind my 1.5 cents here.
> | > 2) Rik's implementation
> | > ++ Now part of kernel 2.6.6!
> | > + Integrated within SELinux
> | 
> | I think that's a neutral, or even a minus from my perspective.  I would
> | very much prefer an audit solution that is agnostic of the security
> | infrastructure you use.
> | 
> | You may want to use auditing with subdomain, or you may even want to use
> | it without any security modules at all (because frankly, SElinux sucks
> | performance-wise, and it's not terribly stable yet either)
> Rik's audit work can be used without the bulk of SELinux, as I
> understand the implementation?
Correct, the 2.6 audit code can be used without SELinux.  SELinux uses
the audit log capabilites and therefore depends on the base audit
support in the kernel.  You can make use of SELinux policy files to
create rules for generating audit records.  I talk more about this in
the attachment.  I do not think Olaf has seen it. I sent it out to the
linux-audit list yesterday.

I have everyone on the Cc list entered on the linux-audit list except
for Olaf and Ktill - if you want me to add you please let me know.

Peter -
> | > - Very basic daemon capabilities (filtering / reporting / etc.)
> | > - Two-part auditing (event, then returncode as separate info), which
> | > makes the daemon side a little harder
> | 
> | Yes, that is something that needs to be changed. If you do stuff like
> | switching audit files on the fly (i.e. writing to N different buckets),
> | the records for call and outcome may end up in two different files,
> | which is hard to deal with in the user land tools.
> I would also expect that splitting the auditing like this would
> unnecessarily increase kernel/userland traffic, without significantly
> reducing the memory loading in the kernel.
> | > 3) Snare's kernel component
> | 
> | Okay, so I'm going to comment on snare. Please don't take anything
> | I say below personal, Leigh... also keep in mind that this applies
> | to when I last looked at the code over a year ago; maybe you've got
> | all of these issues fixed by now. Maybe I'm even mixing up some details
> | with syscalltracker.
> | 
> | > - Programmed by a team that really would prefer NOT to be doing things
> | > in the kernel. :) .. but have MANY years of experience in managing audit
> | > log data in high security organisations.
> | > ++ Integrated into SGI Altix
> | > ++ Integrated into some HP distributions
> | > ++ Required as part of US DoD COE, and NASA.
> | 
> | I think DiiCOE is wrong in mandating specific implementations and
> | package names.
> | 
> | > + Great daemon & GUI (though, I'm biased ;)
> | 
> | I looked into snare a year and a half ago when we evaluated different
> | audit solutions, and I thought the audit record format, and the daemon
> | were rather complicated.  One thing that struck me as particularly painful
> | was the fact that it wasn't written with performance in mind. Snare
> | does almost no filtering in the kernel, so all data has to travel up to the
> | daemon, where it gets processed. Rule evaluation isn't very fast either,
> | for instance, rules including a user name would be evaluated by doing
> | a getpwuid on the uid doing the system call, and then a strcmp was
> | done. Which is also fairly prone to deadlock if you start auditing system
> | services such as nscd.
> Well, the Snare kernel doesn't audit its own audit daemon, which
> prevents the most obvious cause of runaway auditing.  The audit daemon
> as of Snare 0.9.6 now maintains a simple in-process cache for user and
> group names to mitigate nscd spamming as well, though it could be
> expanded significantly beyond the simple two entry cache it uses at
> present.
> The audit daemon's efficiency has been increased by a factor of 10 or
> so in the recent code, the username/groupname caching being part of
> that.  There's still more work to do, though, particularly at the
> kernel/userland interface.
> | The kernel code also suffered from several major problems; it was messing
> | around with the system call table, which is a major no-no (it doesn't seem
> | to do that anymore). It also covers just a fraction of the system
> | calls you need to cover in order to actually achieve CAPP certification.
> | It also doesn't deal with the problems of system call arguments being
> | modified between performing the system call, and building the audit
> | record (think of shared memory - the string passed into open() may change
> | while your process is in the kernel). It also doesn't even attempt to
> | resolve the path names passed into system functions, which is rather
> | useless. It also lacks a login id, which is crucial for CAPP compliance.
> All true in the current implementation.  I looked at the argument
> locking issues somewhat when I was adapting Snare 0.9.6 to the Fedora
> Core 2 kernel, but it's clear that handling that will require a
> significant rework of a lot of the in-kernel implementation.
> The login id tracking is a more significant shortcoming of Snare,
> obviously, as well as the inability of the Snare userland tools to
> restricted auditing to certain process trees.
> | From an evaluation perspective, I think the snare daemon also didn't fare
> | very well when it came to assuring that audit records never got lost.
> | 
> | One major question is portability - for laus we had to support
> | i386, x86_64, ppc, ppc64, s390, s390x and are currently doing ia64.
> The Snare kernel patch has portability covered pretty well these days,
> actually, as it just instruments individual syscalls rather than
> trying to hook into the platform-specific syscall mechanisms.  I've
> built Snare-equipped 2.6.[678] FC2 kernels for x86_64 as well as x86,
> without any issues.
> Instrumenting individual syscalls makes it a pretty invasive patch, of
> course.
> | I liked the GUI though; that would be something that'd be nice to have.
> | 
> | > * Although selinux and auditing have a pretty common user-set, and I
> | > think they can work well together, I'm worried that selinux may not
> | > supply us with all the information we need (eg: will all 'denied' calls
> | > be passed to audit?)
> | 
> | That is my concern with selinux based auditing as well. By placing audit
> | hooks inside selinux (or the LSM framework in general), we will only be
> | called by the time the kernel needs to make a policy decision.
> | 
> | What I am wondering is whether we actually need selinux or the LSM hooks
> | to make a decision whether to log a call or not. Rik's code is able to
> | catch all system calls on return, which is the logical place to make
> | a decision on whether to create an audit record or not. The only
> | thing we really need is to collect system call arguments as the are
> | consumed by the kernel (i.e. copied from user to kernel space).
> The biggest dissatisfaction we have with the 2.6.6 audit framework is
> that syscall arguments are not logged in the event of early abort of
> syscall processing due to a lack of capabilities, etc.  We read NISPOM
> Ch. 8 as requiring detailed logging of failed attempts to access
> "security-relevant objects".  A non-root user attempting to do root
> actions like 'chroot' is a pretty silly user, but NISPOM would like to
> know that sort of thing.
> Therefore, we would prefer to see a mechanism in which all auditable
> parameters are copied to kernel space up front, and that the syscalls
> would then be written to use the pre-copied parameters rather than
> doing direct mapping from user space.  There would obviously be
> certain kinds of parameters that could not reasonably be audited in
> such a framework, but that will be true in any prospective auditing
> system.
> That makes for a more invasive patch, though, with different code
> paths for audited and non-audited processes.
> | Maybe there's even a way we can tap into copy_from_user pretty much
> | the same way Rik taps into getname.
> Hmm.. we could perhaps add a identifying tag as an additional
> parameter to copy_from_user, so as to allow tracking of multiple
> parameters copied from user space, but that still wouldn't support
> full auditing of preemptively rejected syscalls.
> | > Without breaking any confidentiality agreements / product plans native
> | > to Redhat or SuSE, do you think that there might be scope for a combined
> | > way forward? If so, do we:
> | > * Adopt Rik's stuff as a base, and merge the useful bits of Snare and
> | > LAuS into it?
> | >  - Olaf: Will SuSE be taking on SeLinux for 2.6.6+? Do your SELinux &
> | > audit customers generally overlap?
> | 
> | We have plans for using SELinux, but I really want an audit framework
> | decoupled from the security module.
> | 
> | With Rik's stuff in 2.6, I think we have a foundation we can build upon.
> | Fortunately, the intercept mechanism Rik used is more or less what we
> | did for 2.4, so that's good (our 2.6 implementation is different, but
> | that doesn't mean we have to keep it).
> | 
> | > * Can we make things generic enough to cover pluggable system call
> | > interception?
> | 
> | What do you mean by this?
> | 
> | Cheers
> | Olaf
> | -- 
> | Olaf Kirch     |  The Hardware Gods hate me.
> | okir suse de   |
> | ---------------+ 
Kernel Configuration:  

There are two kernel config options that control the level of audit support 
compiled into the kernel.  The options are:

CONFIG_AUDIT:  This enables the base level of audit support required by SELinux.

CONFIG_AUDITSYSCALL:  This enables the ptrace hooks for the full syscall audit 
trace.  The currently supported architectures include X86, PPC64, S390, IA64, 

Kernel Command Line Parameters:

There is only one audit related kernel command line option, "audit".  The
"audit" option enables and disables the audit syscall support.  The "audit" 
parameter does not control the audit support required by SELinux.  You cannot 
disable the audit support that SELinux depends on without recompiling the kernel 
with CONFIG_AUDIT disabled.

System call auditing can have a performance impact on the system, since each 
system call can be audited.  When audit=0 is passed on the command line, only
the logging facilities of the audit system are enabled, and performance is 
only impacted (slightly) when SELinux is emitting audit records.

Examples of the various options, and what gets logged to the console, follows.

With audit=1 appended to the kernel command line:

Aug  4 09:55:39 dhcp83-26 kernel: Kernel command line: ro root=LABEL=/ rhgb quiet audit=1
Aug  4 09:55:39 dhcp83-26 kernel: audit: enabled (after initialization)
Aug  4 09:55:39 dhcp83-26 kernel: audit: initializing netlink socket (enabled)
Aug  4 09:55:39 dhcp83-26 kernel: audit(1091613289.775:0): initialized

With audit=0 appended to the kernel command line:

Aug  4 10:02:42 dhcp83-26 kernel: Kernel command line: ro root=LABEL=/ rhgb quiet audit=0
Aug  4 10:02:42 dhcp83-26 kernel: audit: disabled (after initialization)
Aug  4 10:02:43 dhcp83-26 kernel: audit: initializing netlink socket (disabled)
Aug  4 10:02:43 dhcp83-26 kernel: audit(1091613713.134:0): initialized

The default case, no audit specific information appended to the kernel command

Aug  3 11:11:47 dhcp83-26 kernel: Kernel command line: ro root=LABEL=/ rhgb quiet
Aug  3 11:11:48 dhcp83-26 kernel: audit: initializing netlink socket (disabled)
Aug  3 11:11:48 dhcp83-26 kernel: audit(1091531456.171:0): initialized

Unless you specify audit=0, or audit=1, on the kernel command line you will not
get the "kernel: audit: disabled (after initialization)" output logged to the 
console or syslog.  Appending "audit=0" to the kernel command line is 
functionaly equivalent to the default case.

The first audit record logged is "kernel: audit(1091531456.171:0): initialized".
The format of the audit record includes the current time, (1091531456.171 = 
seconds.milli-seconds)", the serial number assigned to the audit record,  
(:0 = serial number),  and the text passed in by the initial audit_log() call, 

User Space Commands 

You will need to build the latest audit user space commands. You can obtain the 
latest user space tar.gz file from http://people.redhat.com/peterm/audit.  The 
latest version is auditd-0.5.tar.gz.  This is the last version that the original 
author, Rik Faith, wrote.  Look for newer versions with the same filename format
in the future.  Uncompress the tar.gz file and isuue the configure command with 
the proper path to your 2.6 Linux kernel include directory, e.g.;

bash# ./configure --with-audith=/usr/src/linux/include

After configure has a chance to run follow it up with a make.  Run the auditctl 
command with the -s option to verify that audit is enabled in your kernel.

bash# ./auditctl -s
AUDIT_STATUS: enabled=0 failure=1 pid=0 rate_limit=0 backlog_limit=64 lost=0 backlog=0

If it is not enabled, i.e. enabled=0, then enable audit support with the -e option;

bash# ./auditctl -e 1
AUDIT_STATUS: enabled=1 failure=1 pid=0 rate_limit=0 backlog_limit=64 lost=0 backlog=0

The -a option allows specific rules to be added for syscal auditing.  To audit
the read system call as an example;

bash# ./auditctl -a entry,always -S read
AUDIT_LIST: entry always syscall=read

Available rule lists include task, entry, and exit.  Available actions include 
always, possible, and never.

During runtime you can verify the current list of syscalls being audited with
the -l option;

bash# ./auditctl -l
AUDIT_LIST: entry always syscall=read

To monitor all system calls you would use:

./auditctl -a entry,always -S all

For reference the auditctl usage information can be displayed with the -h 

bash# ./auditctl -h
usage: auditctl [options]
       -h         Help
       -s         Report status
       -e [0|1]   Set enabled flag
       -f [0..2]  Set failure flag
                  0=silent 1=printk 2=panic
       -p <pid>   Set pid of auditd (testing only)
       -r <rate>  Set limit in messages/sec (0=none)
       -l         List rules
       -a <l,a>   Add rule at end of <l>ist with <a>ction
       -A <l,a>   Add rule at beginning <l>ist with <a>ction
       -d <l,a>   Delete rule from <l>ist with <a>ction
                  l=task,entry,exit a=never,possible,always
       -S syscall Build rule: syscall name or number
       -F f=v     Build rule: field name, value
       -m text    Send a user-space message
       -L uid,txt Set login uid and send login message

Audit State:

During runtime you can determine if audit syscall support is active by using the
auditctl command with the -s option.  The message type which returns the status 
information is AUDIT_GET.  An example follows:

bash# ./auditctl -s
AUDIT_STATUS: enabled=0 failure=1 pid=0 rate_limit=0 backlog_limit=64 lost=0 

The fields are defined as follows:


    This is the syscall audit enabled flag, 0=not enabled, 1=enabled.
    This is the audit_enabled variable in audit.c.


    This determines what audit will do if it encounters an error and
    cannot proceed. This is the audit_failure variable in audit.c.
    The various options are:
	 AUDIT_FAIL_PRINTK: Log the audit record using printk if you cannot
	 communicate over the netlink socket.  This is the default action.

         AUDIT_FAIL_SILENT: Do nothing, report nothing, just skip logging the 
	 record and continue.

         AUDIT_FAIL_PANIC: Call panic() with the pending audit record text.


    This is the PID that audit is writing netlink socket information 
    to.  This is the audit_pid variable in audit.c.


    If non-zero, this is the maximum number of messages sent per second.
    The default is zero, not enabled.  This is the audit_rate_limit 
    variable in audit.c.


    This is the maximum number of outstanding audit buffers allowed.  
    The default is 64.  This is the audit_rate_limit variable in audit.c.


    The number of lost audit records.  This is the audit_rate_limit 
    variable in audit.c.


    The number of outstanding audit buffers.  The value needs to be kept 
    below audit_backlog_limit in order to avoid dropping audit records. 
    This is the audit_backlog variable in audit.c.

Task Filtering:

You can audit specific system calls by adding the entries into one of the 
three linked lists as discussed in an earlier.

To track a specific task you would use:

./auditctl -a exit, always -S all -F loginuid=1000
./auditctl -L 1000,"auditing loginuid 1000"

The second line is not required, it just generates an syslog entry when the
auditing on the specified uid starts.

The supported field names include: pid, uid, euid, suid, fsuid, gid, egid, 
sgid, fsgid, loginuid, pers, devmajor, devminor, inode, exit, success, 
a0, a1, a2, a3.  The following sections describe where the field entries
originate from.

The pid, uid, euid, suid, fsuid, gid, egid, sgid, fsgid, and pers, (short 
for "pesonality"), are from task_struct defined in include/linux/sched.h.

struct task_struct {
	unsigned long personality;
	pid_t pid;
	uid_t uid,euid,suid,fsuid;
	gid_t gid,egid,sgid,fsgid;
	struct audit_context *audit_context;

The loginuid, devmajor, devminor, inode, exit, success, a0, a1, a2, and a3
fields are from the audit_context structure off of task_struct.

struct audit_context {
	uid_t		    loginuid;   /* login uid (identity) */
	unsigned long	    argv[4];    /* syscall arguments */
	int		    return_code;/* syscall return code */
	struct audit_names  names[AUDIT_NAMES]; /* inode and devs */

Loginuid field is contained in the audit_context loginuid.  The a0-a3 field 
names are contained in the audit_context argv[] array.  The exit and success 
fields share the audit_context return_code entry.  The remaining fields,
(inode, devmajor, devminor), are contained in the audit_names struct.

struct audit_names {
	const char	*name;
	unsigned long	ino;
	dev_t		rdev;

The inode field is contained in the audit_names ino unsigned long, the devmajor
and devminor fields share the audit_names rdev dev_t entry.

Lost Audit Records:

Audit records can be lost due to the following reasons.  Audit cannot allocate 
an audit buffer, cannot obtain an socket buffer, exceeded the value set in
audit_rate_limit, exceeded the backlog limit specified in audit_backlog_limit.


Kernel AVC, (Access Vector Cache), SELinux routines use the audit_buffer 
struct for display support via the avc_dump_av(), avc_dump_query(), and 
avc_dump_cache() functions.  SELinux allocates an audit_buffer for its own 
use by calling audit_log_start(), builds up the msg using audit_log_format(),
fills in the dentry using audit_log_d_path(), and sends the completed avc 
record to user space, or /var/log/message, by calling audit_log_end().

The main SELinux routine is selinux/avc.c:avc_audit().  avc_audit() calls 
avc_dump_av() to gather access vector information and avc_dump_query() 
to obtain the source security identifier(SSID), target security
identifier(TSID), and the target security class(TCLASS).

SELinux installs targeted policy by default in Fedora Core 3 Test 1.  You can 
check to see if SELinux is active on your system by adding a "-Z" option to
one of the os commands.  You can also check for a mounted SELinux file system,
in a RedHat distribution the mount point would be /selinux. As an example,
with SELinux enabled, "ls -lZ /etc/passwd" will show the following output:

-rw-r--r--  root     root     system_u:object_r:etc_t          /etc/passwd

The fourth field in the ls output is the security context associated with 
the file.  It is stored in the extended attributes of the file system.  
SELinux uses the security context when checking access rights.

To setup a specific filter to generate audit records for any access to 
/etc/passwd you need to use the SELinux information displayed by using the "-Z" 
command line option.  The ls output tells us that the /etc/passwd file is of
type etc_t.  Once you know the type of the file to be audited you will
need to create a domain file to enable auditing specifically for that type,
in our case etc_t.  On the RedHat installation disk disk #4 you will need to
install the selinux-policy-targeted-sources RPM, e.g. "rpm -Uhv 
In the /src/policy/domains directory you will need to create an audit.te, (
the audit type enforcement file), with the following contents:

auditallow * etc_t:file *;

The fields in the audit.te file can be broken down as follows. "auditallow"
tells SELinux to send an audit message anytime it matches the rest of the 
sentence.  The second field "*" means match any domain.  In SELinux processes
also have types, but for historical reasons, they are also referred to in
that case as having domains.  This does not apply to non-processes.  "etc_t"
refers to the domain, "file" describes the object.  The final "*" says match
any access.  The example audit.te policy tells SELinux to audit all access by
any domain of files marked with the security context etc_t.

You will need to rebuild SELinux policy to include your new rule.  From /etc/
selinux/targeted/src/policy you need to "make load; make -W users load".
Executing the "ls -lZ /etc/passwd" command now results in several audit 
records being logged by SELinux, (the records have been broken up to
avoid line wrap):

Aug  4 14:25:15 dhcp83-26 kernel: audit(1091643915.064:0): avc:  granted  
{ read } for  pid=4940 exe=/bin/ls name=passwd dev=hda3 ino=1454372 scontext=
root:system_r:unconfined_t tcontext=system_u:object_r:etc_t tclass=file

Aug  4 14:25:15 dhcp83-26 kernel: audit(1091643915.065:0): avc:  granted
{ getattr } for  pid=4940 exe=/bin/ls path=/etc/passwd dev=hda3 ino=1454372 
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:etc_t tclass=file

Aug  4 14:25:15 dhcp83-26 kernel: audit(1091643915.065:0): avc:  granted  
{ read } for  pid=4940 exe=/bin/ls path=/etc/passwd dev=hda3 ino=1454372 
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:etc_t tclass=file

Executing "cat /etc/passwd" produces the following output:

Aug  4 14:25:07 dhcp83-26 kernel: audit(1091643907.561:0): avc:  granted
{ read } for  pid=4937 exe=/bin/cat name=passwd dev=hda3 ino=1454372 
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:etc_t tclass=file

Aug  4 14:25:07 dhcp83-26 kernel: audit(1091643907.561:0): avc:  granted
{ getattr } for  pid=4937 exe=/bin/cat path=/etc/passwd dev=hda3 ino=1454372
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:etc_t tclass=file

Aug  4 14:25:07 dhcp83-26 kernel: audit(1091643907.562:0): avc:  granted
{ read } for  pid=4937 exe=/bin/cat path=/etc/passwd dev=hda3 ino=1454372
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:etc_t tclass=file

Aug  4 14:25:07 dhcp83-26 kernel: audit(1091643907.563:0): avc:  granted
{ read } for  pid=4937 exe=/bin/cat path=/etc/passwd dev=hda3 ino=1454372 
scontext=root:system_r:unconfined_t tcontext=system_u:object_r:etc_t tclass=file

The problem with using SELinux to control what groups get flagged for auditing
is that the domains can include a large number of objects.  Enabling the etc_t 
domain caused any access to any file in /etc to be logged.  For more granular
auditing you need to create rules outside of SELinux specific to audit.

Audit Kernel routines:

The kernel routines for audit consist of kernel/audit.c and kernel/auditsc.c.	
audit.c contains the generic logging code.  auditsc.c contains the syscall
auditing code.


    audit_set_rate_limit, audit_set_backlog_limit, audit_set_enabled, 
    audit_set_failure, audit_log_sdtart, audit_log_format, audit_log_end_irq, 
    audit_log_end_fast, audit_log_end, audit_log, audit_log_d_path, 
    auditsc.c:audit_alloc, auditsc.c:audit_free, auditsc.c:audit_syscall_entry, 
    auditsc.c:audit_syscall_exit, auditsc.c:audit_getname, 
    auditsc.c:audit_putname, auditsc.c:audit_inode.


audit_panic() - Switches on mode specified in audit_failure.  Current modes

    CALLED BY: audit_log_lost(), audit_init().

audit_rate_check() - Checks to make sure we are below msg log limits.

    CALLED BY: audit_log_start(), audit_log_end_fast().

audit_log_lost() - Prints at least one log msg per second regardless of rate

    CALLED BY: audit_log_move(), audit_log_drain(), audit_log_start(), 
        audit_log_start(), audit_log_end_fast(), auditsc.c:audit_alloc().
    CALLS: audit_panic().

audit_set_rate_limit() - Sets the static int audit_rate_limit to the specified
		       number of messages per second.

    CALLED BY: audit_receive_msg().
    CALLS: audit_log().

audit_set_backlog_limit() - Sets the static int audit_backlog_limit to the 
                          number of outstanding audit buffers.  Default is 64.

    CALLED BY: audit_receive_msg().
    CALLS: audit_log().

audit_set_enabled() - Sets the specified audit state in the global 

    CALLED BY: audit_receive_msg().
    CALLS: audit_log().

audit_set_failure() - Sets the specified failure state in static audit_failure.  

    CALLED BY: audit_receive_msg().
    CALLS: audit_log().

audit_send_reply() - Sends msg to netlink socket.

    CALLED BY: audit_receive_msg().

audit_receive_msg() - Processes received sk_buff.  Valid types include 

    CALLED BY: audit_receive_skb().
    CALLS: audit_send_reply(), audit_set_enabled(), audit_set_failure(),
        audit_log(), audit_set_rate_limit(), audit_set_backlog_limit(), 
        audit_log_start(), audit_log_format(), audit_log_end(), 
	audit_set_loginuid(), audit_receive_filter().

audit_receive_skb() - Get msg from sk_buff.

    CALLED BY: audit_receive().
    CALLS: audit_receive_msg().

audit_receive() - Receive msg from netlink socket.  Receive function associated 
		with netlink socket.
    CALLS: audit_receive_skb().

audit_log_move() - Move data from tmp bufer into skb, or printk the 
		 audit_buffer if CONFIG_NET is not set.

    CALLED BY: audit_log_vformat(), audit_log_d_path(), audit_log_end_fast().
    CALLS: audit_log_lost().

audit_log_drain() - Process sk_buffs in the audit_buffer, send contents to user 
		  space, or return 0 if CONFIG_NET is not set.

    CALLED BY: audit_log_end_fast().
    CALLS: audit_log_end_irq().

audit_init() - Audit initialization routine, allocates netlink socket if 
	     CONFIG_NET is set, sets global audit_enabled to static 

    CALLS: audit_panic(), audit_log().

audit_enable() - Sets audit_default based on kernel command line boot args, 
	       e.g.audit=0, audit=1.


audit_log_start() - Obtains the audit_buffer under lock protection.

    CALLED BY: auditsc.c:audit_log_exit(), audit_receive_msg(), audit_log(),
    CALLS: audit_rate_check(), audit_log_lost(), audit_get_stamp(), 

audit_log_vformat() - Format the audit msg into the audit_buffer.

    CALLED BY: audit_log_format(), audit_log().
    CALLS: audit_log_move().

audit_log_format() - Verifies audit_buffer.

    CALLED BY: audit_receive_msg(), audit_log_start(), audit_log_d_path(),
        auditsc.c:audit_log_exit(), selinux/avc:avc_dump_av(), 
	selinux/avc:avc_dump_query(), selinux/avc:avc_print_ipv6_addr(),
	selinux/avc:avc_print_ipv4_addr(), selinux/avc:avc_audit().

    CALLS: audit_log_vformat().

audit_log_d_path() - Prints the d_path.

    CALLED BY: selinux/avc:avc_audit().
    CALLS: audit_log_format().

audit_tasklet_handler() - Remove msgs from the audit_txlist queue and send to 
			user space.
    CALLS: audit_log_end_fast().

audit_log_end_irq() - Schedules the audit_tasklet to remove queued msgs from 
		    the audit_txlist queue via audit_tasklet_handler().

    CALLED BY: audit_log_drain(), audit_log_end()
    CALLS: audit_tasklet_handler(via schedule).

audit_log_end_fast() - Send the msg in the audit_buffer to user space. Cannot 
		     be called in irq context.

    CALLED BY: audit_tasklet_handler(), audit_log_end()
    CALLS: audit_rate_check(), audit_log_lost(), audit_log_move(), 

audit_log_end() - Send or queue the msg in the audit_buffer to user space, 
		context	independent.

    CALLED BY: audit_receive_msg(), audit_log_drain(), audit_tasklet_handler(), 
        audit_log(), auditsc.c:audit_log_exit(), selinux:avc:avc_audit().
    CALLS: audit_log_end_irq(), audit_log_end_fast().

audit_log() - Logs an audit record in any context.

    CALLED BY: audit_set_rate_limit(), audit_set_backlog_limit(), 
        audit_set_enabled(), audit_set_failure(), audit_receive_msg(), 
	audit_init(), selinux/ss/services:compute_sid_handle_invalid_context().
     CALLS: audit_log_start(), audit_log_vformat(), audit_log_end().

auditsc.c:audit_compare_rule() - Check two rules to see if they are identical.  
			     Called from audit_del_rule during AUDIT_DEL.

    CALLED BY: auditsc.c:audit_del_rule()

auditsc.c:audit_add_rule() - Add a rule to the list.

    CALLED BY: auditsc.c:audit_receive_rule()

auditsc.c:audit_free_rule() - Free rule.

    CALLED BY: auditsc.c:audit_del_rule()

auditsc.c:audit_del_rule() - Remove a rule from the list.

    CALLED BY: auditsc.c:audit_receive_filter()
    CALLS: auditsc.c:audit_compare_rule().

auditsc.c:audit_copy_rule() - Copy rule from user space, called during AUDIT_ADD.  
			  Supported actions include AUDIT_NEVER, 

    CALLED BY: auditsc.c:audit_receive_filter()

auditsc.c:audit_receive_filter() - Process filter request from user space.  
			       Supported actions include AUDIT_LIST, AUDIT_ADD, 

    CALLED BY: audit_receive_msg().
    CALLS: auditsc.c:audit_del_rule(), auditsc.c:audit_add_rule(), 

auditsc.c:audit_filter_rules() - Check on a match between an audit rule and a 
	task_struct.  Supported matches include AUDIT_PID, AUDIT_UID, 

    CALLED BY: auditsc.c:audit_filter_task(), auditsc.c:audit_filter_syscall().

auditsc.c:audit_filter_task() - Check a task to determine if system-call auditing
			     is enabled.

    CALLED BY: auditsc.c:audit_alloc().
    CALLS: audtisc:audit_filter_rules().

auditsc.c:audit_filter_syscall() - Called at syscall entry and exit to determine 
			       if the audit record needs to be written.

    CALLED BY: audtisc:audit_get_context(), auditsc.c:audit_syscall_entry().
    CALLS: auditsc.c:audit_filter_rules().

auditsc.c:audit_get_context() - Retreive context and set proper auditable 

    CALLED BY: auditsc.c:audit_syscall_exit(), auditsc.c:audit_free().
    CALLS: auditsc.c:audit_filter_syscall().

auditsc.c:audit_free_names() - Calls putname for the name fields in the 
			   audit_context record.

    CALLED BY: auditsc.c:audit_free_context(), auditsc.c:audit_syscall_exit().

auditsc.c:audit_zero_context() - Initializes a audit_context record.

    CALLED BY: auditsc.c:audit_alloc_context(), auditsc.c:audit_syscall_entry(), 

auditsc.c:audit_alloc_context() - Allocates and audit_context entry.

    CALLED BY: auditsc.c:audit_alloc(), auditsc.c:audit_syscall_entry().
    CALLS: auditsc.c:audit_zero_context().

auditsc.c:audit_alloc() - Filter on a the task information and allocate a 
		      per-task audit context as required.

    CALLED BY: kernel/fork().
    CALLS: audit_filter_task(), audit_alloc_context().

auditsc.c:audit_free_context() - Walk the list on contexts and free the 
			     name entry.

    CALLED BY: auditsc.c:audit_free(), auditsc.c:audit_syscall_exit().
    CALLS: auditsc.c:audit_free_names().

auditsc.c:audit_log_exit() - Log the audit record on syscall exit.

    CALLED BY: auditsc.c:audit_free(), auditsc.c:audit_syscall_exit().
    CALLS: audit_log_start(), audit_log_format(), audit_log_end().

auditsc.c:audit_free() - Free the per-task audit context, called from 
		     copy_process and put_task_struct.

    CALLED BY: kernel/fork:copy_process().
    CALLS: audit_get_context(), audit_log_exit(), audit_free_context().

auditsc.c:audit_serial() - Compute the 24 bit serial number for the audit record.

    CALLED BY: auditsc.c:audit_syscall_entry().

auditsc.c:audit_syscall_entry() - Fill in the audit context at syscall entry.

    CALLED BY: arch/[i386,mips,ppc64,s390,x86_64]/kernel/
    CALLS: audit_alloc_context(), audit_zero_context(), audit_filter_syscall(),

auditsc.c:audit_syscall_exit() - clean up after system call.

    CALLED BY: arch/[i386,mips,ppc64,s390,x86_64]/kernel/ptrace:
    CALLS: audit_get_context(), audit_log_exit(), audit_free_context(), 
        audit_zero_context(), audit_free_names().

auditsc.c:audit_getname() - Add a name to the audit_context context.  Called 
			from fs/namei.c:getname().

    CALLED BY: fs/namei:getname().

auditsc.c:audit_putname() -  Intercept a putname request.  Called from include/

    CALLED BY: include/linux/fs.h:putname().

auditsc.c:audit_inode() - Store the inode and device information.  Called from 

    CALLED BY: fs/namei:path_lookup().

auditsc.c:audit_get_stamp() - Get the current time stamp information.

    CALLED BY: audit_log_start().

auditsc.c:audit_set_loginuid() - Set the login uid in the current context.

    CALLED BY: audit_receive_msg()

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]