The rtld-audit interface is enabled by one of two means. Each method implies a scope to the objects that are audited.
Global auditing is enabled using the runtime linker environment variable LD_AUDIT
. The audit
libraries made available by this method are provided with information regarding all dynamic objects used by the process.
Local auditing is enabled through dynamic entries recorded within an object at the time it was built. The audit libraries made available by this method are provided with information regarding those dynamic objects identified for auditing.
Either method of invocation consists of a string that contains a colon-separated list of shared objects that are loaded by dlmopen(3DL). Each object is loaded onto its own audit link-map list. Each object is also searched for audit routines using dlsym(3DL). Audit routines that are found are called at various stages during the applications execution.
The rtld-audit interface enables multiple audit libraries to be supplied. Audit libraries that expect to be employed in this fashion should not alter the bindings that would normally be returned by the runtime linker. Altering these bindings can produce unexpected results from audit libraries that follow.
Secure applications can only obtain audit libraries from trusted directories. Presently, the only trusted directory known to the runtime linker is /usr/lib/secure for 32–bit objects or /usr/lib/secure/64 for 64–bit objects.