Re: How Audit event triggers in Kernel

[Steve Grubb <sgrubb@redhat.com>]

On Thursday, January 27, 2011 07:14:40 am Ashok Kumar J wrote:
> I saw the function audit_send in the netlink.c file. This function is used
> to send the audit rules set into kernel. My question is  How Audit event
> triggers for system call in kernel.

The short answer id that there is a rule matcher that checks the current syscall 
against the list of rules.

http://lxr.linux.no/#linux+v2.6.37/kernel/auditfilter.c#L657

In reality, its a little more complicated because you have to get the flow of control 
to this function from syscall entry and exit.

http://lxr.linux.no/#linux+v2.6.37/kernel/auditsc.c#L1562
http://lxr.linux.no/#linux+v2.6.37/kernel/auditsc.c#L1674


> My second question is, After getting the reply packet from the netlink
> socket through the function audit_get_reply(). How the audit log format
> achieved for system call before storing the audit log.

The event does not really get any substantial formatting because the audit daemon's 
job is to dequeue as fast as possible and get it to disk. Any display formatting can 
be done by search and reporting tools. But if you wanted to see it, this is the 
function that takes care of this for the RAW format specified in auditd.conf:

https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L963


-Steve