From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: Checking for audit_enabled in the kernel Date: Tue, 14 Nov 2006 15:57:23 -0500 Message-ID: <455A2DB3.7040206@hp.com> References: <455A0157.9060100@hp.com> <200611141401.48925.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200611141401.48925.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve Grubb wrote: > On Tuesday 14 November 2006 12:48, Paul Moore wrote: > >>I'm trying to find a way to quickly determine if auditing is enabled and it >>looks like the only real way to do that is to declare audit_enabled as an >>extern and check the variable directly. Is there some interface for this >>that I am missing? > > A good example of how to do this is in audit.h: > > static inline int audit_ipc_obj(struct kern_ipc_perm *ipcp) > { > if (unlikely(!audit_dummy_context())) > return __audit_ipc_obj(ipcp); > return 0; > } > > __audit_ipc_obj is the real function that does the actual work. The > audit_dummy_context() function uses current, so it may not be suitable to use > on events that come from netlink. In that case, we'd need a new function that > takes a task struct. >>From what I can tell audit_dummy_context() is really only useful in detecting if syscall auditing is enabled (it always returns true if CONFIG_AUDITSYSCALL is not checked at compile time) and not audit in general. I'm pretty sure I want something that depends on audit in general and not just syscall auditing. -- paul moore linux security @ hp