[RFC PATCH v1] audit: log AUDIT_TIME_* records only from rules
Richard Guy Briggs
rgb at redhat.com
Thu Nov 4 21:53:13 UTC 2021
On 2021-11-04 17:29, Paul Moore wrote:
> On Thu, Nov 4, 2021 at 5:00 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> >
> > AUDIT_TIME_* events are generated when there are syscall rules present that are
> > not related to time keeping. This will produce noisy log entries that could
> > flood the logs and hide events we really care about.
> >
> > Rather than immediately produce the AUDIT_TIME_* records, store the data and
> > log it at syscall exit time respecting the filter rules.
> >
> > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
>
> Unfortunately that URL isn't publicly accessible. It might be helpful
> to simply add the relevant information to the commit description[1]
> and omit the link entirely. Since this is just an RFC, please don't
> resend the patch just to include that information, you can simply
> reply to this thread with the additional info.
Hmmm, sorry about that. There isn't really anything in that bz that
shouldn't be public, but I'll check before openning it up...
Basically it was a report that:
TIME_ADJNTPVAL audit events are not generated if there are no syscalls
rules, but that these events are generated when at least one unrelated
syscall rule is added.
This behaviour was confirmed but the conclusion about what should be the
correct behaviour differed from that of the reporter.
> paul moore
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list