4 audit tools, 1 auditctl, 2 ausearch – IBM Novell 10 SP1 EAL4 User Manual

Event Description

LAF audit events

Execution of the test of the underlying machine
and the result of the test

Audit message from amtu utility: audit record

type: USER.

Changes to system time

Syscall settimeofday, adjtimex

Setting up a trusted channel

Sycall exec (of stunnel program)

Table 5-4: Audit Subsystem event codes

5.6.4 Audit tools

In addition to the main components, the user level provides a search utility, ausearch, and a trace utility,
autrace. While ausearch finds audit records based on different criteria from the audit log, autrace

audit all syscalls issued by the process being traced. The man pages for these two utilities detail all the
options that can be used for each. In this section we briefly describe how they operate.

5.6.4.1 auditctl

The auditctl command configures and examines the kernel audit subsystem. It allows the setting of

syscall rules, file watches, various audit characteristics, and the sending of userspace messages. It
communicates with the kernel using the netlink socket interface via the audit library. For more information
on auditctl, please see the auditctl(8) man page. Use of auditctl is restricted in the TOE to

administrative users.

5.6.4.2 ausearch

Only root has the ability to run this tool. First ausearch checks the validity of the parameters passed,

whether they are supported or not. Then it opens either the logs or the administrator-specified files. The logs’
location is extracted from the /etc/auditd.conf. After that, ausearch starts to process the records,

one record at a time, matching the parameters passed to it. Each audit record can be written into the log as
multiple file records. The tool collates all the file records into a linked list before it checks whether the record
matches the requested search criteria. For more information on ausearch, please see the ausearch(8)

man page.

5.6.5 Login uid association

The pam_loginuid.so module writes the login uid of the process that was authenticated to the /proc

system (/proc/session id/loginuid). The loginuid file is only writable by root and readable by

everyone. The /proc file system triggers the kernel function audit_set_loginuid() to set the login

uid for the user in the audit context. From then on, this login uid is maintained throughout the session to trace
back all operations done in the session to exactly the login user.

5.7 Kernel modules

Kernel modules are pieces of object code that can be linked to, and unlinked from, the kernel at runtime.
Kernel modules usually consist of a set of functions that implement a file system, a device driver, or other
functions at the kernel’s upper layer.

146