Audit record ordering requirements
Paul Moore
paul at paul-moore.com
Fri Mar 27 00:28:51 UTC 2020
On Thu, Mar 26, 2020 at 7:49 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> I'm looking at adding an audit record type for the case where
> there are multiple security modules providing subject data. There
> are several reasons to create a new record rather than adding the
> additional information to existing records, including possible
> size overflows and format compatibility.
>
> While working with the code I have found that it is much easier
> if the new record (I'm calling it MAC_TASK_CONTEXTS) can be generated
> before the "base" record, which could be a SYSCALL record, than
> after it. Can I get away with this? I haven't seen any documentation
> that says the CWD record has to follow the event's SYSCALL record,
> but I wouldn't be at all surprised if it's implicitly assumed.
>From a kernel perspective, as long as the timestamp matches (so it's
considered part of the same "event") I've got no problem with that.
However, Steve's audit userspace has a lot of assumptions about how
things are done so it's probably best that he comments on this so his
tools don't blow up.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list