The audit implementation belongs to the very core of the kernel (the source is located directly in kernel/). This stresses how much emphasis the kernel developers place on the framework. As with every code in the core kernel directory, much care was taken to make it as compact, efficient, and clean as possible. The code is basically distributed across three files:

□ kernel/audit.c provides the core audit mechanism.

□ kernel/auditsc.c implements system call auditing.

□ kernel/auditfilter.c contains means to filter audit events.

Another file, kernel/audit_tree.c, contains data structures and routines that allow auditing of complete directory trees. Since a rather large amount of code is required to implement this comparatively small benefit, for simplicity's sake this chapter does not discuss this possibility any further.

Detailed documentation of the log format used, usage descriptions for the associated tools, and so on can be found on the developer's website, and in the corresponding manual pages. With this in mind, you can dive directly into the details of implementation in this section!

As is the case for most parts of the kernel, understanding the data structures of the audit framework is a big step toward understanding the implementation.

Continue reading here: Data Structures

Was this article helpful?

0 0