[PATCH v15 21/23] Audit: Include object data for all security modules
Paul Moore
paul at paul-moore.com
Mon Mar 9 17:59:48 UTC 2020
On Mon, Mar 9, 2020 at 1:45 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> On 3/6/2020 6:31 PM, Paul Moore wrote:
> > Either way, the "obj=" field should stay where it is, but the
> > "obj_XXX=" fields need to find their way to the end of the record.
>
> As Steve pointed out, there may be a bigger issue here. If the additional
> fields aren't going to fit in MAX_AUDIT_MESSAGE_LENGTH bytes another
> format may be required. I had hoped that perhaps obj_selinux= might count
> as a refinement to obj= and hence not be considered a new field, but
> it looks like that's not flying.
Regardless, the field placement guidance remains the same.
As far as the record limitation; yes, Steve's audit userspace does
have a limit, but I do wonder how limiting an 8k record size really is
for the majority of systems. My guess is "not too bad". If you are
concerned about that, I imagine you could always tack on a new record
to relevant events with additional LSM subj/obj info. Some of the
audit container ID pre-work have made that less painful than it would
have been in the past, but it will still be a bit of work to get it
right.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list