Audit record emission
Stephen Smalley
sds at tycho.nsa.gov
Thu May 5 19:42:49 UTC 2005
On Thu, 2005-05-05 at 15:37 -0400, Steve Grubb wrote:
> Hi,
>
> I was looking into a problem from the test team and ran across this comment in
> the kernel code:
>
> http://lxr.linux.no/source/kernel/auditsc.c#L652
>
> It basically says that audit records may be emitted as event records are
> generated as opposed to syscall exit. The problem shows up during stress
> testing. The records that get sent from the kernel are no where close to each
> other and are hard to correlate.
>
> The comment says that if the current technique isn't suitable, maybe we can
> keep formatted records off of the context and then send them all at syscall
> exit.
>
> Can anyone see any problems with changing this?
The comment is primarily addressed to other users of the audit
subsystem, like SELinux, which immediately generate audit records of
their own rather than saving their data in the current audit context for
later processing by audit_log_exit. For all other audit generation, it
should all occur from audit_log_exit IIUC. However, audit_log_exit()
presently uses several audit_log_start()...audit_log_end() sequences
rather than a single one, which does split up the syscall audit record
information. I'm not entirely sure why it doesn't just bracket the
entire body of audit_log_exit() with a single audit_log_start
();....audit_log_end(); sequence.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list