* The audit "context" and when to expect it. [not found] <45ce3357-ca82-8721-22d6-dabe751ad8fa.ref@schaufler-ca.com> @ 2020-05-29 17:59 ` Casey Schaufler 2020-05-29 19:01 ` Paul Moore 0 siblings, 1 reply; 5+ messages in thread From: Casey Schaufler @ 2020-05-29 17:59 UTC (permalink / raw) To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs What does a NULL audit context (e.g. ab->cxt == NULL) tell me about the status of the audit buffer? It seems like it should be telling me that the audit buffer is being created for some purpose unrelated to the current task. And yet there are places where information is pulled from the current task even when the cxt is NULL. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: The audit "context" and when to expect it. 2020-05-29 17:59 ` The audit "context" and when to expect it Casey Schaufler @ 2020-05-29 19:01 ` Paul Moore 2020-05-29 21:42 ` Casey Schaufler 0 siblings, 1 reply; 5+ messages in thread From: Paul Moore @ 2020-05-29 19:01 UTC (permalink / raw) To: Casey Schaufler; +Cc: Richard Guy Briggs, Linux-Audit Mailing List On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > What does a NULL audit context (e.g. ab->cxt == NULL) tell > me about the status of the audit buffer? It seems like it should > be telling me that the audit buffer is being created for some > purpose unrelated to the current task. And yet there are places > where information is pulled from the current task even when > the cxt is NULL. The simple answer is that a NULL audit_context indicates a standalone record, meaning a record with a unique timestamp so that it is not associated with any other records into an event. If the audit_context it not NULL then the information in the context is used to group, or associate, all of the records sharing that context into a single event. This is just one example, but a non-NULL audit_context is how PATH records end up being associated with SYSCALL records in a single event. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: The audit "context" and when to expect it. 2020-05-29 19:01 ` Paul Moore @ 2020-05-29 21:42 ` Casey Schaufler 2020-05-29 21:49 ` Paul Moore 0 siblings, 1 reply; 5+ messages in thread From: Casey Schaufler @ 2020-05-29 21:42 UTC (permalink / raw) To: Paul Moore; +Cc: Richard Guy Briggs, Linux-Audit Mailing List On 5/29/2020 12:01 PM, Paul Moore wrote: > On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote: >> What does a NULL audit context (e.g. ab->cxt == NULL) tell >> me about the status of the audit buffer? It seems like it should >> be telling me that the audit buffer is being created for some >> purpose unrelated to the current task. And yet there are places >> where information is pulled from the current task even when >> the cxt is NULL. > The simple answer is that a NULL audit_context indicates a standalone > record, meaning a record with a unique timestamp so that it is not > associated with any other records into an event. If the audit_context > it not NULL then the information in the context is used to group, or > associate, all of the records sharing that context into a single > event. OK, so if I want a add a sub-record with the multiple secctx values for the events that include a subject value I need to change those events to use an audit_context. Is that going to introduce an unacceptable memory or performance burden? > > This is just one example, but a non-NULL audit_context is how PATH > records end up being associated with SYSCALL records in a single > event. > -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: The audit "context" and when to expect it. 2020-05-29 21:42 ` Casey Schaufler @ 2020-05-29 21:49 ` Paul Moore 2020-05-29 22:10 ` Casey Schaufler 0 siblings, 1 reply; 5+ messages in thread From: Paul Moore @ 2020-05-29 21:49 UTC (permalink / raw) To: Casey Schaufler; +Cc: Richard Guy Briggs, Linux-Audit Mailing List On Fri, May 29, 2020 at 5:42 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 5/29/2020 12:01 PM, Paul Moore wrote: > > On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > >> What does a NULL audit context (e.g. ab->cxt == NULL) tell > >> me about the status of the audit buffer? It seems like it should > >> be telling me that the audit buffer is being created for some > >> purpose unrelated to the current task. And yet there are places > >> where information is pulled from the current task even when > >> the cxt is NULL. > > The simple answer is that a NULL audit_context indicates a standalone > > record, meaning a record with a unique timestamp so that it is not > > associated with any other records into an event. If the audit_context > > it not NULL then the information in the context is used to group, or > > associate, all of the records sharing that context into a single > > event. > > OK, so if I want a add a sub-record with the multiple secctx values Terminology nit-pick: there are "records" and "events", there is nothing we would call a sub-record. In the case you are referring to, this is a record which would always be part of a larger collection of records. It's similar to a PATH record in that it doesn't make sense by itself, but when combined with the other records in an event, it provides useful information. > for the events that include a subject value I need to change those > events to use an audit_context. Is that going to introduce an > unacceptable memory or performance burden? No more so than any additional record. Or rather, it seems like this is the only way to do what you want to do so I don't see a way around it. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: The audit "context" and when to expect it. 2020-05-29 21:49 ` Paul Moore @ 2020-05-29 22:10 ` Casey Schaufler 0 siblings, 0 replies; 5+ messages in thread From: Casey Schaufler @ 2020-05-29 22:10 UTC (permalink / raw) To: Paul Moore; +Cc: Richard Guy Briggs, Linux-Audit Mailing List On 5/29/2020 2:49 PM, Paul Moore wrote: > On Fri, May 29, 2020 at 5:42 PM Casey Schaufler <casey@schaufler-ca.com> wrote: >> On 5/29/2020 12:01 PM, Paul Moore wrote: >>> On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote: >>>> What does a NULL audit context (e.g. ab->cxt == NULL) tell >>>> me about the status of the audit buffer? It seems like it should >>>> be telling me that the audit buffer is being created for some >>>> purpose unrelated to the current task. And yet there are places >>>> where information is pulled from the current task even when >>>> the cxt is NULL. >>> The simple answer is that a NULL audit_context indicates a standalone >>> record, meaning a record with a unique timestamp so that it is not >>> associated with any other records into an event. If the audit_context >>> it not NULL then the information in the context is used to group, or >>> associate, all of the records sharing that context into a single >>> event. >> OK, so if I want a add a sub-record with the multiple secctx values > Terminology nit-pick: there are "records" and "events", there is > nothing we would call a sub-record. Thanks. I stand corrected. > In the case you are referring to, > this is a record which would always be part of a larger collection of > records. It's similar to a PATH record in that it doesn't make sense > by itself, but when combined with the other records in an event, it > provides useful information. > >> for the events that include a subject value I need to change those >> events to use an audit_context. Is that going to introduce an >> unacceptable memory or performance burden? > No more so than any additional record. Or rather, it seems like this > is the only way to do what you want to do so I don't see a way around > it. That's what I'll do then. Thanks again. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-05-29 22:10 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <45ce3357-ca82-8721-22d6-dabe751ad8fa.ref@schaufler-ca.com>
2020-05-29 17:59 ` The audit "context" and when to expect it Casey Schaufler
2020-05-29 19:01 ` Paul Moore
2020-05-29 21:42 ` Casey Schaufler
2020-05-29 21:49 ` Paul Moore
2020-05-29 22:10 ` Casey Schaufler
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).