[RFC PATCH v1] audit: log AUDIT_TIME_* records only from rules
Paul Moore
paul at paul-moore.com
Thu Nov 4 21:29:24 UTC 2021
On Thu, Nov 4, 2021 at 5:00 PM Richard Guy Briggs <rgb at redhat.com> wrote:
>
> AUDIT_TIME_* events are generated when there are syscall rules present that are
> not related to time keeping. This will produce noisy log entries that could
> flood the logs and hide events we really care about.
>
> Rather than immediately produce the AUDIT_TIME_* records, store the data and
> log it at syscall exit time respecting the filter rules.
>
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
Unfortunately that URL isn't publicly accessible. It might be helpful
to simply add the relevant information to the commit description[1]
and omit the link entirely. Since this is just an RFC, please don't
resend the patch just to include that information, you can simply
reply to this thread with the additional info.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list