The audit mechanism uses data structures that fall into three main categories. First, processes need to be instrumented with a per-task data structure that is especially important for system call auditing. Second, audit events, filtering rules and so on need to be represented within the kernel. Third, a communication mechanism with the userland utilities needs to be established.
Figure 19-2 illustrates the connection of the different data structures that form the core of the auditing mechanism. The task structure is extended with an audit context that allows storing all data relevant for a system call, and a database that contains all audit rules is established. The data structures used to transfer audit data between kernel and userspace are not too interesting in this context, so they are not included in the figure.
Continue reading here: Extensions to taskstruct
Was this article helpful?