IBM 10 SP1 EAL4 用户手册
5.6.1.1.5 Audit context fields
•
Login ID: Login ID is the user ID of the logged-in user. It remains unchanged through the
setuid() or seteuid() system calls. Login ID is required by the Controlled Access Protection
setuid() or seteuid() system calls. Login ID is required by the Controlled Access Protection
Profile to irrefutably associate a user with that user’s actions, even across su() calls or use of setuid
binaries.
•
state: state represents the audit state that controls the creation of per-task audit context and
filling of system call specifics in the audit context. It can take the following values:
AUDIT_DISABLED
Do not create per-task audit_context. No
syscall specific audit records will be
generated for the task
syscall specific audit records will be
generated for the task
AUDIT_SETUP_CONTEXT
Create the per task audit_context,
but don't necessarily fill it in a syscall
entry time (i.e., filter instead).
entry time (i.e., filter instead).
AUDIT_BUILD_CONTEXT
Create the per task audit_context,
and always fill it in at syscall entry time.
This makes a full syscall record available
if some other part of the kernel decides it
should be recorded.
This makes a full syscall record available
if some other part of the kernel decides it
should be recorded.
AUDIT_RECORD_CONTEXT
Create the per task audit_context,
always fill it in at syscall entry time, and
always write out the audit record at
syscall exit time.
always write out the audit record at
syscall exit time.
Table 5-1: Audit Context States
•
in_syscall: States whether the process is running in a syscall versus in an interrupt.
134
Figure 5-71: Task Structure