Closing the Audit Log
After all necessary log messages have been written to an audit buffer, audit_log_end needs to be called to ensure that the audit log is sent to the userspace daemon. The code flow diagram for the function can be found in Figure 19-6.
|
audit_log_end | ||
|
Perform rate check | ||
|
Enqueue socket buffer | ||
|
audit_buffer_free| | ||
Figure 19-6: Code flow diagram for audit_log_end.
After performing another rate check (if messages have been submitted too frequently, then the present message is lost and a ''rate limit exceeded'' message is sent to the daemon instead), the socket buffer associated with the audit buffer is put on a queue for later processing by kauditd:
kernel/audit.c void audit_log_end(struct audit_buffer *ab) {
struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data; nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0); skb_queue_tail(&audit_skb_queue, ab->skb); ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
Note that the kernel provides the convenience function audit_log, which can be used as an abbreviation for the three aforementioned tasks (starting an audit log, writing messages, and ending the log). It has the following prototype:
struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type, const char *fmt, ...);
Continue reading here: Audit Context Allocation
Was this article helpful?