Comprehensive Documentation on the Linux Audit Framework
Richard Guy Briggs
rgb at redhat.com
Wed Jun 7 02:31:32 UTC 2023
On 2023-06-06 18:01, Paul Moore wrote:
> On Tue, Jun 6, 2023 at 3:09 PM Steve Grubb <sgrubb at redhat.com> wrote:
> > On Tuesday, June 6, 2023 6:31:55 PM EDT Vincent Abraham wrote:
> > > Thanks. Could you also point to portions in the codebase where these
> > > functions are called for monitoring file access?
> >
> > I'll let Richard or Paul point to the place in the kernel if that's
> > necessary. I think there's a fundamental mismatch and it might not matter.
>
> The audit subsystem in the Linux Kernel is currently found in the core
> kernel/ directory:
>
> % ls -1 kernel/audit*
> kernel/audit.c
> kernel/auditfilter.c
> kernel/audit_fsnotify.c
> kernel/audit.h
> kernel/auditsc.c
> kernel/audit_tree.c
> kernel/audit_watch.c
I could have sworn I'd sent a reply yesterday afternoon with pointers to
three functions to start with, but it didn't make it to the list and I
have no record of it...
Directives from userspace come in here:
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L1542
and are processed here:
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L1204
For file access rules, see
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit_watch.c
For directory access rules, if you dare to tread, see
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit_tree.c
Once rules are in place, there are hooks all over the kernel to monitor
activity in various subsystems.
Have a look at audit_log_start() that generates the log messages:
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L1829
and kauditd_send_queue() which manages the queues:
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L718
> > ... would be path, kind of access, who is accessing it, program accessing
> > it, portions of se linux labeling, and a few other things.
>
> FYI for everyone on the thread, the generally accepted way to write to
> "SELinux" is as one word (no space between the "SE" and "Linux") and
> with the first three letters capitalized. I know we can be a little
> lazy with capitalization, I definitely am, but writing it as one word
> is the important part.
>
> --
> paul-moore.com
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list