diff -urN linux-2.0.31pre9-privs-clean/arch/i386/kernel/entry.S linux-2.0.31pre9-privs/arch/i386/kernel/entry.S --- linux-2.0.31pre9-privs-clean/arch/i386/kernel/entry.S Wed Sep 10 15:05:33 1997 +++ linux-2.0.31pre9-privs/arch/i386/kernel/entry.S Fri Sep 12 06:39:44 1997 @@ -710,4 +710,7 @@ .long SYMBOL_NAME(sys_getfilecap) .long SYMBOL_NAME(sys_fsetfilecap) .long SYMBOL_NAME(sys_fgetfilecap) /* 175 */ - .space (NR_syscalls-175)*4 + .long SYMBOL_NAME(sys_auditor) + .long SYMBOL_NAME(sys_auditswitch) + .long SYMBOL_NAME(sys_auditwrite) + .space (NR_syscalls-178)*4 diff -urN linux-2.0.31pre9-privs-clean/include/asm-i386/unistd.h linux-2.0.31pre9-privs/include/asm-i386/unistd.h --- linux-2.0.31pre9-privs-clean/include/asm-i386/unistd.h Wed Sep 10 15:05:41 1997 +++ linux-2.0.31pre9-privs/include/asm-i386/unistd.h Thu Sep 11 22:40:04 1997 @@ -181,6 +181,9 @@ #define __NR__getfilecap 173 #define __NR__fsetfilecap 174 #define __NR__fgetfilecap 175 +#define __NR__auditor 176 +#define __NR__auditswitch 177 +#define __NR__auditwrite 178 /* XXX - _foo needs to be __foo, while __NR_bar could be _NR_bar. */ #define _syscall0(type,name) \ diff -urN linux-2.0.31pre9-privs-clean/include/linux/audit.h linux-2.0.31pre9-privs/include/linux/audit.h --- linux-2.0.31pre9-privs-clean/include/linux/audit.h Wed Dec 31 16:00:00 1969 +++ linux-2.0.31pre9-privs/include/linux/audit.h Thu Sep 11 22:35:49 1997 @@ -0,0 +1,180 @@ +#ifndef LINUX_AUDIT_H +#define LINUX_AUDIT_H + +#include +#include +#include + +struct __aud_header_s { + __u8 flags; /* For configuration use (includes byteordering) */ + __u8 generation; /* Indicator of generation of audit record */ + __u16 length; /* Number of __aud_s's that follow this */ + __u32 audit_id; /* Audit id - for tracing process trees */ + __u32 proc_id; /* PID of audited process */ + __u32 event_class; /* bits that triggered event recording: + * (bit 0)=0 -> user-level + * (bit 0)=1 -> kernel-level + */ + __u32 time_sec; /* when did event occur (seconds) */ + __u32 time_nsec; /* offset (nanosec) */ + __u64 unused; /* pad out to 256-bits = 32 bytes */ +} __attribute__ ((packed)); + +#define AUDIT_DATA_ATOM_SIZE sizeof(struct __aud_header_s) +#define MAX_AUDIT_ATOMS 256 /* number of lines stored at + * any time in audit buffer: + * must be power of 2 */ +#define MAX_AUDIT_WRAP_MASK (MAX_AUDIT_ATOMS-1) +#define MAX_AUDIT_DATA (MAX_AUDIT_WRAP_MASK*AUDIT_DATA_ATOM) + +/* union for type of internal audit buffer */ + +union audit_atom { + struct __aud_header_s header; + __u8 data[AUDIT_DATA_ATOM_SIZE]; +}; + +/* some numbers that determine how many atoms of the internal audit + trail are to be buffered */ + +/* flags for interpretting audit header/record structure */ + +#define AUDIT_FLAG_BIG_ENDIAN 0x80 + +/* make a choice based on the endianness of the local chip */ + +#ifndef __LITTLE_ENDIAN +# define AUDIT_FLAG_PREFIX AUDIT_FLAG_BIG_ENDIAN +#else +# define AUDIT_FLAG_PREFIX 0x00 +#endif + +/* the current audit format generation number. Note, '0' is used to lock + record */ + +#define AUDIT_RECORD_LOCKED 0 +#define AUDIT_CURRENT_GENERATION 1 + +/* flag-bits to indicate the nature of the audited event. These can be + combined to generate a profile of the event that can be more easily + vetoed as it is written to the audit log */ + +#define AUDIT_EVENT_CLASS_USER 0x00000000 /* user generated event */ +#define AUDIT_EVENT_CLASS_KERNEL 0x00000001 /* kernel generated event */ + +/* + * The following are a set of tools for building an audit record. + * They can be conveniently #define'd to [empty] in the case that + * one wishes to compile code with auditing removed. Note that + * the last is defined in the way it is to encourage the programmer + * to verify the exit status of the command. + * + * Usage is to place all commands between a single pair of { }'s: + * + * { + * int result; + * _Audit_begin(sizeof(int) + sizeof(gid_t)); + * _Audit_append_simple(int, AUD_AET_SETGID); + * _Audit_append_simple(gid_t, current->gid); + * _Audit_if_not_ok(_AUDIT_CAN_BLOCK, event_mask, &result) { + * panic("attempt to audit setgid event failed (%d)", result); + * } + * } + * + * In the case of non-blocking calls, the 'result' should be checked for + * being '+ERESTARTSYS'. + * + * It is anticipated that the list of audit events will most efficiently + * be stored in a single meta-data file which can be used to create both + * the auditing components within the kernel and the audit report + * generator application. + */ + +#define _Audit_begin(max_length) \ + __u8 _Audit_data[max_length] __attribute__ ((aligned)); \ + __u16 _Audit_length = 0 + +#define _Audit_append_simple(prototype, datum) \ + *((prototype *)(_Audit_length + _Audit_data)) = datum; \ + _Audit_length += sizeof(prototype) + +#define _Audit_append_by_ptr(prototype, data_p) \ + memcpy(_Audit_length+_Audit_data, data_p, sizeof(prototype)); \ + _Audit_length += sizeof(prototype) + +#define _Audit_append_n_data(length, data_p) \ + memcpy(_Audit_length+_Audit_data, data_p, length); \ + _Audit_length += length + +#define _Audit_if_not_ok(ok_to_block, event_mask, result_p) \ + if ((_Audit_length > sizeof(_Audit_data) && (*(result_p)=EINVAL)) || \ + (*(result_p) = kernel_auditwrite(ok_to_block,event_mask, \ + _Audit_length,_Audit_data))) + +#define _AUDIT_DONT_BLOCK 0 +#define _AUDIT_CAN_BLOCK 1 + +extern int kernel_auditwrite(int may_block, __u32 mask, __u16 length, + const void *data); + +/* state bit pairs - mutually exclusive triads (0 = not applicable) */ +#define AUDIT_EVENT_CLASS_SUCCESS 0x00000002 /* event success notice */ +#define AUDIT_EVENT_CLASS_DENIED 0x00000004 /* event failure notice */ +#define AUDIT_EVENT_CLASS_PROGRESS 0x00000006 /* ambiguous state notice */ +#define AUDIT_EVENT_CLASS_RESULT_MASK 0x00000006 + +/* state bit pairs - mutually exclusive triads (0 = not applicable) */ +#define AUDIT_EVENT_CLASS_BEGIN 0x00000008 /* event starting notice */ +#define AUDIT_EVENT_CLASS_END 0x00000010 /* event ending notice */ +#define AUDIT_EVENT_CLASS_INTERIM 0x00000018 /* intermediate notice */ +#define AUDIT_EVENT_CLASS_EPOCH_MASK 0x00000018 + +#define AUDIT_EVENT_CLASS_FILE 0x00000100 /* related to file access */ +#define AUDIT_EVENT_CLASS_DRIVER 0x00000200 /* related to device driver */ +#define AUDIT_EVENT_CLASS_NET 0x00000400 /* related to the network */ +#define AUDIT_EVENT_CLASS_PROC 0x00000800 /* related to a process */ +#define AUDIT_EVENT_CLASS_CAP 0x00001000 /* use of capability(ies) */ + +/* syscall control codes for sys_auditor */ + +#define LINUX_AUDIT_OFF 1 +#define LINUX_AUDIT_ON 2 +#define LINUX_AUDIT_WRITE 3 +#define LINUX_AUDIT_DRAIN 4 + +/* POSIX event types - some of this belongs in */ + +#define AUD_STD_96_1 0xAD5D199601 /* draft 15, p296 par 3 */ +#define AUD_SYSTEM_LOG -1 /* file descriptor for system + audit log - cannot be 'opened'. */ +#define AUD_NATIVE 0 /* default format of records */ + +/* macros (types of numeric argument) */ + +#define AUD_AET_AUD_SWITCH 1 /* aud_switch() */ +#define AUD_AET_AUD_WRITE 2 /* aud_write() */ +#define AUD_AET_CHDIR 3 /* chdir() */ +#define AUD_AET_CHMOD 4 /* chmod() */ +#define AUD_AET_CHOWN 5 /* chown() */ +#define AUD_AET_CREAT 6 /* creat() */ +#define AUD_AET_DUP 7 /* dup(), dup2(), fcntl(F_DUPFD) */ +#define AUD_AET_EXEC 8 /* exec(), execl(), execlp(), execv(), + execvp(), execle(), execve() */ +#define AUD_AET_EXIT 9 /* _exit() */ +#define AUD_AET_FORK 10 /* fork() */ +#define AUD_AET_KILL 11 /* kill() */ +#define AUD_AET_LINK 12 /* link() */ +#define AUD_AET_MKDIR 13 /* mkdir() */ +#define AUD_AET_MKFIFO 14 /* mkfifo() */ +#define AUD_AET_OPEN 15 /* open, opendir() */ +#define AUD_AET_PIPE 16 /* pipe() */ +#define AUD_AET_RENAME 17 /* rename() */ +#define AUD_AET_RMDIR 18 /* rmdir() */ +#define AUD_AET_SETGID 19 /* setgid() */ +#define AUD_AET_SETUID 20 /* setuid() */ +#define AUD_AET_UNLINK 21 /* unlink() */ +#define AUD_AET_UTIME 22 /* utime() */ + +/* Linux specific event types */ + +#endif /* LINUX_AUDIT_H */ diff -urN linux-2.0.31pre9-privs-clean/include/linux/sched.h linux-2.0.31pre9-privs/include/linux/sched.h --- linux-2.0.31pre9-privs-clean/include/linux/sched.h Wed Sep 10 15:05:42 1997 +++ linux-2.0.31pre9-privs/include/linux/sched.h Thu Sep 11 08:24:42 1997 @@ -232,6 +232,7 @@ #ifdef CONFIG_POSIX6_CAP __cap_s cap_effective, cap_inheritable, cap_permitted; #endif + unsigned short aid, audit_event_mask; /* audit id & event mask */ char comm[16]; /* limits */ struct rlimit rlim[RLIM_NLIMITS]; @@ -295,6 +296,8 @@ # define INIT_CAPS #endif +#define INIT_AUDIT 0, ~0, + /* * INIT_TASK is used to set up the first task table, touch at * your own risk!. Base=0, limit=0x1fffff (=2MB) @@ -318,6 +321,7 @@ /* uid etc */ 0,0,0,0,0,0,0,0, \ /* suppl grps*/ {NOGROUP,}, \ /* cap's */ INIT_CAPS \ +/* aid, audit_event_mask */ INIT_AUDIT \ /* comm */ "swapper", \ /* rlimits */ INIT_RLIMITS, \ /* math */ 0, \ diff -urN linux-2.0.31pre9-privs-clean/kernel/Makefile linux-2.0.31pre9-privs/kernel/Makefile --- linux-2.0.31pre9-privs-clean/kernel/Makefile Wed Sep 10 15:05:45 1997 +++ linux-2.0.31pre9-privs/kernel/Makefile Thu Sep 11 07:57:51 1997 @@ -13,7 +13,7 @@ O_TARGET := kernel.o O_OBJS = sched.o dma.o fork.o exec_domain.o panic.o printk.o sys.o \ module.o exit.o signal.o itimer.o info.o time.o softirq.o \ - resource.o sysctl.o cap.o + resource.o sysctl.o cap.o audit.o ifeq ($(CONFIG_MODULES),y) OX_OBJS = ksyms.o diff -urN linux-2.0.31pre9-privs-clean/kernel/audit.c linux-2.0.31pre9-privs/kernel/audit.c --- linux-2.0.31pre9-privs-clean/kernel/audit.c Wed Dec 31 16:00:00 1969 +++ linux-2.0.31pre9-privs/kernel/audit.c Fri Sep 12 08:02:58 1997 @@ -0,0 +1,343 @@ +/* + * This file contains the kernel auditing interface. + * + * Copyright (c) 1997 Andrew G. Morgan + * 1024/2A398175 D7 B8 FB 8F 9C E5 43 A3 3D 41 17 8F D5 71 69 50 + * + * + * There is a single multipurpose auditing system call (for use by + * user-space): sys_auditor(). + * + * There is also an internal audit function that can be used to write + * kernel-driven audit events to the audit trail: kernel_auditor(). + * + * The intentions of these functions is to provide a mechanism for + * both the kernel and userspace to write arbitrary audit events to a + * kernel maintained audit buffer. This buffer is then drained from a + * sufficiently capable userspace daemon. The daemon itself is + * responsible for ensuring that the audit trail is safely deposited + * on some permanent medium (through calls to other parts of the + * kernel). This daemon is likely to need to turn off/limit auditing for + * its own actions. + * + * XXX - we could control task specific auditing with a task specific + * mask perhaps? + */ + +#include +#include +#include +#include +#include +#include + +/* this should probably be dynamically allocated */ + +static union audit_atom audit_buffer[MAX_AUDIT_ATOMS]; + +/* some global variables for blocking auditing calls */ + +struct wait_queue *audit_wait_queue = NULL; /* queued audit events */ +int audit_first_full_atom=0; /* where drain reads from */ +int audit_filled_data_atoms=0; /* how many filled atoms are there? */ +int audit_empty_atoms=MAX_AUDIT_ATOMS; /* how many empty atoms? */ +int audit_first_empty_atom=0; /* where new audit records are written to */ + +/* + * kernel level interface for writing to the audit trail + */ + +int kernel_auditwrite(int will_block, __u32 event_mask, __u16 length, + const void *data) +{ + int audit_atoms_needed, from, i; + /* Note, kernel calls; we can be severe about failures */ + audit_atoms_needed = ((length+AUDIT_DATA_ATOM_SIZE-1) + /AUDIT_DATA_ATOM_SIZE) + 1; + if (audit_atoms_needed > MAX_AUDIT_ATOMS) { + panic("kernel_auditor choked on large request (%d/%d)", + audit_atoms_needed, MAX_AUDIT_ATOMS); + } + + /* this must be after the above checks to avoid covert anlysis */ + if (!(current->audit_event_mask & event_mask)) { + return 0; + } + + /* + * XXX - this is where we would probably employ an audit filter. + * See the sys_auditor() function below for more comments. + */ + + /* now we wait(?) for an opportunity to write to the audit trail */ + cli(); + if (audit_atoms_needed > audit_empty_atoms) { + if (!will_block) { + sti(); + return ERESTARTSYS; /* audit would have blocked so return */ + } + /* wait for chance to write to audit trail */ + do { + /* we do not acknowledge signals until later -- XXX is there + * an "noninterruptible_sleep_on() fn? */ + interruptible_sleep_on(&audit_wait_queue); + } while (audit_atoms_needed > audit_empty_atoms); + } + + from = audit_first_empty_atom & MAX_AUDIT_WRAP_MASK; + audit_empty_atoms -= audit_atoms_needed; + audit_first_empty_atom += audit_atoms_needed; + audit_filled_data_atoms += audit_atoms_needed--; /* NB '--' */ + audit_buffer[from].header.generation = AUDIT_RECORD_LOCKED; + sti(); + + /* now we have control of enough of the audit buffer to write this + kernel audit event - we are _committed_ to doing it to. */ + + /* copy the whole blocks */ + for (i=1; iaid; + audit_buffer[from].header.proc_id = current->pid; + audit_buffer[from].header.event_class = + event_mask | AUDIT_EVENT_CLASS_KERNEL; + audit_buffer[from].header.time_sec = xtime.tv_sec; + audit_buffer[from].header.time_nsec = 1000*xtime.tv_usec; + audit_buffer[from].header.unused = 0; + + /* header is prepared now: mark buffer as ready to go. */ + audit_buffer[from].header.generation = AUDIT_CURRENT_GENERATION; + + /* wake up next process waiting on this queue */ + wake_up_interruptible(&audit_wait_queue); + + return 0; /* success! */ +} + +/* user level interface for changing audit status of current task */ + +asmlinkage int sys_auditswitch(__u32 new_audit_mask, __u32 *old_audit_mask_p) +{ + /* turn off auditing for this task */ + if (!capable(CAP_AUDIT_CONTROL)) { + /* user is not permitted to interact with auditing behavior */ + return -EPERM; + } + if (!verify_area(VERIFY_WRITE, old_audit_mask_p, sizeof(__u32))) { + return -EINVAL; + } + + /* XXX - this should be audited ;^) */ + memcpy_tofs(old_audit_mask_p, &(current->audit_event_mask), + sizeof(*old_audit_mask_p)); + + current->audit_event_mask = new_audit_mask; + + /* all done */ + return 0; +} + +/* user level interface for writing audit data */ + +asmlinkage int sys_auditwrite(__u32 event_mask, int length, + const void *user_audit_data) +{ + int audit_atoms_needed, from, i; + + /* verify that the request is valid */ + if (!capable(CAP_AUDIT_WRITE)) { + /* user is not permitted to write to the audit log */ + return -EPERM; + } + audit_atoms_needed = ((length+AUDIT_DATA_ATOM_SIZE-1) + /AUDIT_DATA_ATOM_SIZE) + 1; + if (audit_atoms_needed > MAX_AUDIT_ATOMS) { + /* user is trying to dump too much into the audit buffer */ + return -EMSGSIZE; + } + if (!verify_area(VERIFY_READ, user_audit_data, length)) { + return -EINVAL; + } + + /* this must be after the above checks to avoid covert anlysis */ + if (!(current->audit_event_mask & event_mask)) { + return 0; + } + + /* + * XXX - this is likely where we would call an audit filter + * that would decide if we want events to be + * logged. A possible candidate for a module and/or + * an accept reject rule-set. + * + * Note, to avoid a user-level program probing the + * severity of the current audit selection rules, this + * check has to be _after_ verifying the user provided + * arguments are valid. + */ + + /* + * block until we can get a section of the audit buffer to ourselves + */ + cli(); + while (audit_atoms_needed > audit_empty_atoms) { + /* return if interrupted */ + if (current->signal & ~current->blocked) { + sti(); + return -ERESTARTSYS; + } + /* sleep until we next get to the front of the queue */ + interruptible_sleep_on(&audit_wait_queue); + } + from = audit_first_empty_atom & MAX_AUDIT_WRAP_MASK; + audit_empty_atoms -= audit_atoms_needed; + audit_first_empty_atom += audit_atoms_needed; + audit_filled_data_atoms += audit_atoms_needed--; /* NB '--' */ + audit_buffer[from].header.generation = AUDIT_RECORD_LOCKED; + sti(); + + /* now we have a section of the buffer (possibly wrapped) that + is ours to keep. It will not be drained until the 'generation' + field of the first block in this reserved section is + non-zero... */ + + /* copy the whole blocks */ + for (i=1; iaid; + audit_buffer[from].header.proc_id = current->pid; + audit_buffer[from].header.event_class = + event_mask & ~AUDIT_EVENT_CLASS_KERNEL; + audit_buffer[from].header.time_sec = xtime.tv_sec; + audit_buffer[from].header.time_nsec = 1000*xtime.tv_usec; + audit_buffer[from].header.unused = 0; + + /* header is prepared now: mark buffer as ready to go. */ + audit_buffer[from].header.generation = AUDIT_CURRENT_GENERATION; + + /* wake up next process waiting on this queue */ + wake_up_interruptible(&audit_wait_queue); + + return 0; /* success! */ +} + +/* userspace function to drain the audit buffer - not POSIX, but + needed if we are to avoid too much kernel bloat. */ + +asmlinkage int sys_auditor(void *sink_for_audit_data, int length, + int *number_p) +{ + int from, i, audit_atoms_needed; + + /* verify that we are permitted to drain the buffer */ + if (!capable(CAP_AUDIT_CONTROL)) { + return -EPERM; + } + + /* verify argument pointers */ + if (verify_area(VERIFY_WRITE, sink_for_audit_data, length) + || verify_area(VERIFY_WRITE, number_p, sizeof(int))) { + return -EINVAL; + } + + /* loop until we have read everything or filled the supplied buffer */ + cli(); + /* loop until something is available */ + while (audit_first_full_atom == audit_first_empty_atom) { + /* return if interrupted */ + if (current->signal & ~current->blocked) { + sti(); + return -ERESTARTSYS; + } + /* sleep until we next get to the front of the queue - we + share this queue with the writing part of the audit + code. */ + interruptible_sleep_on(&audit_wait_queue); + } + + /* we have some audit data - verify that nothing has broken */ + if (audit_first_full_atom > audit_first_empty_atom) { + sti(); + panic("auditor has overrun audit trail (%d/%d)\n", + audit_first_full_atom, audit_first_empty_atom); + } + + /* now we take out as many individual audit entries as we can + given the space limitations imposed by the calling process. */ + + i = 0; + while (audit_first_full_atom < audit_first_empty_atom && + (from = (audit_first_full_atom & MAX_AUDIT_WRAP_MASK), + audit_buffer[from].header.generation)) { + /* check we have space left */ + if (length < i+audit_buffer[from].header.length) { + if (i) { + break; /* have something so return it */ + } else { + sti(); + return -EMSGSIZE; + } + } + + /* we have enough space to copy this audit record (too) */ + audit_atoms_needed = + (audit_buffer[from].header.length + + AUDIT_DATA_ATOM_SIZE-1)/ AUDIT_DATA_ATOM_SIZE; + + if ((from + audit_atoms_needed) > MAX_AUDIT_ATOMS) { + /* need to handle the wrapped entry case */ + int partial = AUDIT_DATA_ATOM_SIZE + *(MAX_AUDIT_ATOMS-from); + + memcpy_tofs(sink_for_audit_data+i, + &audit_buffer[from].header, partial); + memcpy_tofs(sink_for_audit_data+i+partial, + &audit_buffer[0].header, + audit_buffer[from].header.length-partial); + } else { + /* one simple chunk */ + memcpy_tofs(sink_for_audit_data+i, + &audit_buffer[from].header, + audit_buffer[from].header.length); + } + /* less space available for any more audit events */ + i += audit_buffer[from].header.length; + + /* and finally we move on to the next block */ + audit_filled_data_atoms -= audit_atoms_needed; + audit_empty_atoms += audit_atoms_needed; + audit_first_full_atom += audit_atoms_needed; + } + sti(); + memcpy_tofs(number_p, &i, sizeof(i)); + + /* wake up next process waiting on this queue */ + wake_up_interruptible(&audit_wait_queue); + + return 0; /* success! */ +} diff -urN linux-2.0.31pre9-privs-clean/kernel/exit.c linux-2.0.31pre9-privs/kernel/exit.c --- linux-2.0.31pre9-privs-clean/kernel/exit.c Wed Sep 10 15:05:45 1997 +++ linux-2.0.31pre9-privs/kernel/exit.c Thu Sep 11 21:34:43 1997 @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -604,6 +605,18 @@ asmlinkage int sys_exit(int error_code) { + { + int result; + + _Audit_begin(2*sizeof(int)); + _Audit_append_simple(int, AUD_AET_EXIT); + _Audit_append_simple(int, error_code); + _Audit_if_not_ok(_AUDIT_CAN_BLOCK, + AUDIT_EVENT_CLASS_END|AUDIT_EVENT_CLASS_PROC, + &result) { + panic("failed to audit exit pid=%d", current->pid); + } + } do_exit((error_code&0xff)<<8); } diff -urN linux-2.0.31pre9-privs-clean/kernel/printk.c linux-2.0.31pre9-privs/kernel/printk.c --- linux-2.0.31pre9-privs-clean/kernel/printk.c Wed Sep 10 15:05:46 1997 +++ linux-2.0.31pre9-privs/kernel/printk.c Wed Sep 10 20:36:10 1997 @@ -66,7 +66,7 @@ char c; int error; - if ((type != 3) && !capable(CAP_AUDIT_CONTROL)) /* CAP.FIXME */ + if ((type != 3) && !capable(CAP_SYS_ADMIN)) /* CAP.FIXME */ return -EPERM; switch (type) { case 0: /* Close log */ diff -urN linux-2.0.31pre9-privs-clean/scripts/audit_events.pre linux-2.0.31pre9-privs/scripts/audit_events.pre --- linux-2.0.31pre9-privs-clean/scripts/audit_events.pre Wed Dec 31 16:00:00 1969 +++ linux-2.0.31pre9-privs/scripts/audit_events.pre Thu Sep 11 17:28:32 1997 @@ -0,0 +1,29 @@ +# +# It is intended that this file will contain all of the audit events. +# Before compiling the kernel, this file will be parsed into the form +# of an include file that can be used to include appropriate events +# with a custom macro. It should also be noted that the output file +# will contain appropriate provision for compiling without audit support +# by providing an alternative #define for each macro. +# +# Version 0 of the syntax is something like: +# +# macro_name(macro_args) AUD_AET_"EVENT_IDENTIFIER" { +# [ type , value ] +# < type , value_p > +# ... +# } +# +# Where the AUD_AET_"EVENT_IDENTIFIER" is the id for the specific audit +# event. [ ] indicates that the datum will expand to _Audit_append_simple() +# and <> to _Audit_append_by_ptr . +# +# The principal reason for thinking this is a good idea is that this will +# make the creation of an audit analysis tool much easier. Another +# alternative is to simply parse the 'C' of the kernel for events as they +# appear there.. +# +# Currently, this latter course is chosen as we have few audited events. +# Later this may become inappropriate and we can return to the suggestions +# above. +#