Audit record ordering requirements
Casey Schaufler
casey at schaufler-ca.com
Thu Mar 26 23:49:32 UTC 2020
I'm looking at adding an audit record type for the case where
there are multiple security modules providing subject data. There
are several reasons to create a new record rather than adding the
additional information to existing records, including possible
size overflows and format compatibility.
While working with the code I have found that it is much easier
if the new record (I'm calling it MAC_TASK_CONTEXTS) can be generated
before the "base" record, which could be a SYSCALL record, than
after it. Can I get away with this? I haven't seen any documentation
that says the CWD record has to follow the event's SYSCALL record,
but I wouldn't be at all surprised if it's implicitly assumed.
Thanks.
More information about the Linux-audit
mailing list