Re: audit for ARM arch

[Amy Griffis <amy.griffis@hp.com>]

OneGun Lee wrote:  [Wed Aug 20 2008, 09:40:48PM EDT]
> The audit system for arm architecture doesn't exist in the Linux kernel.
> But, other architecture's audit system is available. (i386, ppc, mips...)
> and.. I think taht "audit system in kernel" is equal to "LAuS".
> 
> Is it wrong?

The Linux kernel audit system is actually called Lightweight Audit
Framework. The LAuS system was maintained for a while as an
out-of-tree patch. At this point you want to enable the Lightweight
Audit Framework for the ARM architecture.

Unfortunately, there hasn't been a lot of public documentation written
that I'm aware of. Here are a couple of things that were written early
on in the project.

http://lwn.net/Articles/73623/

and

http://www.redhat.com/archives/linux-audit/2004-August/msg00000.html

A lot of features have been added since then and some things may have
been changed, but that should at least give you an overview of how it
works. Those docs don't really cover the architecture-specific
parts though.

I did a little work on the ia64 audit code, so I'll try to write a bit
about that. The two architecture-specific pieces are syscall
interception and syscall classes. Syscall interception is implemented
alongside syscall tracing. You'll need to:

    1. Define the TIF_SYSCALL_AUDIT flag, which indicates that syscall
       auditing is active for a task. The flag is used to determine
       whether to call audit_syscall_entry, and also for any special
       handling required when the code doesn't follow the normal
       paths: e.g. signal handling, streamlined syscalls, etc. You'll
       also want to make sure the flag is properly preserved when
       a child is created.
       
       I'm not sure how fully syscall tracing has been implemented for
       ARM, but if the implementation is complete, the
       TIF_SYSCALL_TRACE flag should be a good indicator of where you
       need to add handling for TIF_SYSCALL_AUDIT.

    2. Make calls to audit_syscall_entry() and audit_syscall_exit() at
       the beginning and end of syscall processing.
       audit_syscall_entry() requires certain parameters: architecture
       flag, syscall number and syscall args from the appropriate
       registers. audit_syscall_exit() requires an indication of
       operation success and syscall return value. Audit expects
       success values to be defined as 0=fail, 1=success. When the
       syscall operation failed, the return value should be the error
       code, represented as a negative number.

    3. You'll also need to add AUDIT_ARCH to arch/arm/Kconfig to tell
       the build system that ARM has audit support.
    
    4. Syscall classes let you specify certain sets of system calls in
       a single audit rule. They're somewhat involved, and since this
       is already getting long, it might be better to get the above
       parts working first and then look at syscall classes. You'll
       probably have to define a few stub functions and/or comment out
       some code to get things to build. But you should be able to
       test a lot of audit functionality without syscall classes.
    
Looking at the other architectures' audit code is a good idea. I'm
also cc'ing the linux-audit mailing list, which is a good place to ask
questions and post patches. Here's the subscription information:

http://www.redhat.com/mailman/listinfo/linux-audit

Amy