OneGun Lee wrote: [Wed Aug 20 2008, 09:40:48PM EDT]
The audit system for arm architecture doesn't exist in the Linux
kernel.
But, other architecture's audit system is available. (i386, ppc, mips...)
and.. I think taht "audit system in kernel" is equal to "LAuS".
Is it wrong?
The Linux kernel audit system is actually called Lightweight Audit
Framework. The LAuS system was maintained for a while as an
out-of-tree patch. At this point you want to enable the Lightweight
Audit Framework for the ARM architecture.
Unfortunately, there hasn't been a lot of public documentation written
that I'm aware of. Here are a couple of things that were written early
on in the project.
http://lwn.net/Articles/73623/
and
http://www.redhat.com/archives/linux-audit/2004-August/msg00000.html
A lot of features have been added since then and some things may have
been changed, but that should at least give you an overview of how it
works. Those docs don't really cover the architecture-specific
parts though.
I did a little work on the ia64 audit code, so I'll try to write a bit
about that. The two architecture-specific pieces are syscall
interception and syscall classes. Syscall interception is implemented
alongside syscall tracing. You'll need to:
1. Define the TIF_SYSCALL_AUDIT flag, which indicates that syscall
auditing is active for a task. The flag is used to determine
whether to call audit_syscall_entry, and also for any special
handling required when the code doesn't follow the normal
paths: e.g. signal handling, streamlined syscalls, etc. You'll
also want to make sure the flag is properly preserved when
a child is created.
I'm not sure how fully syscall tracing has been implemented for
ARM, but if the implementation is complete, the
TIF_SYSCALL_TRACE flag should be a good indicator of where you
need to add handling for TIF_SYSCALL_AUDIT.
2. Make calls to audit_syscall_entry() and audit_syscall_exit() at
the beginning and end of syscall processing.
audit_syscall_entry() requires certain parameters: architecture
flag, syscall number and syscall args from the appropriate
registers. audit_syscall_exit() requires an indication of
operation success and syscall return value. Audit expects
success values to be defined as 0=fail, 1=success. When the
syscall operation failed, the return value should be the error
code, represented as a negative number.
3. You'll also need to add AUDIT_ARCH to arch/arm/Kconfig to tell
the build system that ARM has audit support.
4. Syscall classes let you specify certain sets of system calls in
a single audit rule. They're somewhat involved, and since this
is already getting long, it might be better to get the above
parts working first and then look at syscall classes. You'll
probably have to define a few stub functions and/or comment out
some code to get things to build. But you should be able to
test a lot of audit functionality without syscall classes.
Looking at the other architectures' audit code is a good idea. I'm
also cc'ing the linux-audit mailing list, which is a good place to ask
questions and post patches. Here's the subscription information:
http://www.redhat.com/mailman/listinfo/linux-audit
Amy