Re: Comprehensive Documentation on the Linux Audit Framework

Tue, 06 Jun 2023 19:31:45 -0700 

On 2023-06-06 18:01, Paul Moore wrote:
> On Tue, Jun 6, 2023 at 3:09 PM Steve Grubb <sgr...@redhat.com> wrote:
> > On Tuesday, June 6, 2023 6:31:55 PM EDT Vincent Abraham wrote:
> > > Thanks. Could you also point to portions in the codebase where these
> > > functions are called for monitoring file access?
> >
> > I'll let Richard or Paul point to the place in the kernel if that's
> > necessary. I think there's a fundamental mismatch and it might not matter.
> 
> The audit subsystem in the Linux Kernel is currently found in the core
> kernel/ directory:
> 
> % ls -1 kernel/audit*
> kernel/audit.c
> kernel/auditfilter.c
> kernel/audit_fsnotify.c
> kernel/audit.h
> kernel/auditsc.c
> kernel/audit_tree.c
> kernel/audit_watch.c

I could have sworn I'd sent a reply yesterday afternoon with pointers to
three functions to start with, but it didn't make it to the list and I
have no record of it...

Directives from userspace come in here:
        
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L1542
and are processed here:
        
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L1204

For file access rules, see 
        
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit_watch.c
For directory access rules, if you dare to tread, see
        
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit_tree.c

Once rules are in place, there are hooks all over the kernel to monitor
activity in various subsystems.

Have a look at audit_log_start() that generates the log messages:
        
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L1829

and kauditd_send_queue() which manages the queues:
        
https://github.com/linux-audit/audit-kernel/blob/main/kernel/audit.c#L718

> > ... would be path, kind of access, who is accessing it, program accessing
> > it, portions of se linux labeling, and a few other things.
> 
> FYI for everyone on the thread, the generally accepted way to write to
> "SELinux" is as one word (no space between the "SE" and "Linux") and
> with the first three letters capitalized.  I know we can be a little
> lazy with capitalization, I definitely am, but writing it as one word
> is the important part.
> 
> -- 
> paul-moore.com

- RGB

--
Richard Guy Briggs <r...@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Reply via email to