OneGun Lee wrote: [Wed Aug 20 2008, 09:40:48PM EDT] > The audit system for arm architecture doesn't exist in the Linux kernel. > But, other architecture's audit system is available. (i386, ppc, mips...) > and.. I think taht "audit system in kernel" is equal to "LAuS". > > Is it wrong?
The Linux kernel audit system is actually called Lightweight Audit Framework. The LAuS system was maintained for a while as an out-of-tree patch. At this point you want to enable the Lightweight Audit Framework for the ARM architecture. Unfortunately, there hasn't been a lot of public documentation written that I'm aware of. Here are a couple of things that were written early on in the project. http://lwn.net/Articles/73623/ and http://www.redhat.com/archives/linux-audit/2004-August/msg00000.html A lot of features have been added since then and some things may have been changed, but that should at least give you an overview of how it works. Those docs don't really cover the architecture-specific parts though. I did a little work on the ia64 audit code, so I'll try to write a bit about that. The two architecture-specific pieces are syscall interception and syscall classes. Syscall interception is implemented alongside syscall tracing. You'll need to: 1. Define the TIF_SYSCALL_AUDIT flag, which indicates that syscall auditing is active for a task. The flag is used to determine whether to call audit_syscall_entry, and also for any special handling required when the code doesn't follow the normal paths: e.g. signal handling, streamlined syscalls, etc. You'll also want to make sure the flag is properly preserved when a child is created. I'm not sure how fully syscall tracing has been implemented for ARM, but if the implementation is complete, the TIF_SYSCALL_TRACE flag should be a good indicator of where you need to add handling for TIF_SYSCALL_AUDIT. 2. Make calls to audit_syscall_entry() and audit_syscall_exit() at the beginning and end of syscall processing. audit_syscall_entry() requires certain parameters: architecture flag, syscall number and syscall args from the appropriate registers. audit_syscall_exit() requires an indication of operation success and syscall return value. Audit expects success values to be defined as 0=fail, 1=success. When the syscall operation failed, the return value should be the error code, represented as a negative number. 3. You'll also need to add AUDIT_ARCH to arch/arm/Kconfig to tell the build system that ARM has audit support. 4. Syscall classes let you specify certain sets of system calls in a single audit rule. They're somewhat involved, and since this is already getting long, it might be better to get the above parts working first and then look at syscall classes. You'll probably have to define a few stub functions and/or comment out some code to get things to build. But you should be able to test a lot of audit functionality without syscall classes. Looking at the other architectures' audit code is a good idea. I'm also cc'ing the linux-audit mailing list, which is a good place to ask questions and post patches. Here's the subscription information: http://www.redhat.com/mailman/listinfo/linux-audit Amy -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
