5 audit context fields – IBM Novell 10 SP1 EAL4 User Manual

5.6.1.1.5 Audit context fields

•

Login ID: Login ID is the user ID of the logged-in user. It remains unchanged through the
setuid() or seteuid() system calls. Login ID is required by the Controlled Access Protection

Profile to irrefutably associate a user with that user’s actions, even across su() calls or use of setuid

binaries.

•

state: state represents the audit state that controls the creation of per-task audit context and

filling of system call specifics in the audit context. It can take the following values:

AUDIT_DISABLED

Do not create per-task audit_context. No
syscall specific audit records will be
generated for the task

AUDIT_SETUP_CONTEXT

Create the per task audit_context,

but don't necessarily fill it in a syscall
entry time (i.e., filter instead).

AUDIT_BUILD_CONTEXT

Create the per task audit_context,

and always fill it in at syscall entry time.
This makes a full syscall record available
if some other part of the kernel decides it
should be recorded.

AUDIT_RECORD_CONTEXT

Create the per task audit_context,

always fill it in at syscall entry time, and
always write out the audit record at
syscall exit time.

Table 5-1: Audit Context States

•

in_syscall: States whether the process is running in a syscall versus in an interrupt.

134

Figure 5-71: Task Structure