Checking for audit_enabled in the kernel

Checking for audit_enabled in the kernel

[Paul Moore]

I'm trying to find a way to quickly determine if auditing is enabled and it
looks like the only real way to do that is to declare audit_enabled as an extern
and check the variable directly.  Is there some interface for this that I am
missing?

-- 
paul moore
linux security @ hp

Re: Checking for audit_enabled in the kernel

[Steve Grubb]

On Tuesday 14 November 2006 12:48, Paul Moore wrote:
> I'm trying to find a way to quickly determine if auditing is enabled and it
> looks like the only real way to do that is to declare audit_enabled as an
> extern and check the variable directly.  Is there some interface for this
> that I am missing?

A good example of how to do this is in audit.h:

static inline int audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
         if (unlikely(!audit_dummy_context()))
                return __audit_ipc_obj(ipcp);
         return 0;
}

__audit_ipc_obj is the real function that does the actual work. The 
audit_dummy_context() function uses current, so it may not be suitable to use 
on events that come from netlink. In that case, we'd need a new function that 
takes a task struct.

-Steve

Re: Checking for audit_enabled in the kernel

[Steve Grubb]

On Tuesday 14 November 2006 14:01, Steve Grubb wrote:
> A good example of how to do this is in audit.h:

Actually, this is wrong - disregard. This would be modeled more like sending a 
user space rule into the kernel. In that case, audit_enabled is checked 
directly. Its already a public variable but just not in the audit.h file to 
prevent its proliferation. You can do this:

extern int audit_enabled;

in your file and use it.

-Steve

Re: Checking for audit_enabled in the kernel

[Paul Moore]

Steve Grubb wrote:
> On Tuesday 14 November 2006 12:48, Paul Moore wrote:
> 
>>I'm trying to find a way to quickly determine if auditing is enabled and it
>>looks like the only real way to do that is to declare audit_enabled as an
>>extern and check the variable directly.  Is there some interface for this
>>that I am missing?
> 
> A good example of how to do this is in audit.h:
> 
> static inline int audit_ipc_obj(struct kern_ipc_perm *ipcp)
> {
>          if (unlikely(!audit_dummy_context()))
>                 return __audit_ipc_obj(ipcp);
>          return 0;
> }
> 
> __audit_ipc_obj is the real function that does the actual work. The 
> audit_dummy_context() function uses current, so it may not be suitable to use 
> on events that come from netlink. In that case, we'd need a new function that 
> takes a task struct.

>From what I can tell audit_dummy_context() is really only useful in detecting if
  syscall auditing is enabled (it always returns true if CONFIG_AUDITSYSCALL is
not checked at compile time) and not audit in general.  I'm pretty sure I want
something that depends on audit in general and not just syscall auditing.

-- 
paul moore
linux security @ hp