Linux-audit Archive on lore.kernel.org
 help / color / Atom feed
* The audit "context" and when to expect it.
       [not found] <45ce3357-ca82-8721-22d6-dabe751ad8fa.ref@schaufler-ca.com>
@ 2020-05-29 17:59 ` Casey Schaufler
  2020-05-29 19:01   ` Paul Moore
  0 siblings, 1 reply; 5+ messages in thread
From: Casey Schaufler @ 2020-05-29 17:59 UTC (permalink / raw)
  To: Linux-Audit Mailing List; +Cc: Richard Guy Briggs


What does a NULL audit context (e.g. ab->cxt == NULL) tell
me about the status of the audit buffer? It seems like it should
be telling me that the audit buffer is being created for some
purpose unrelated to the current task. And yet there are places
where information is pulled from the current task even when
the cxt is NULL.



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: The audit "context" and when to expect it.
  2020-05-29 17:59 ` The audit "context" and when to expect it Casey Schaufler
@ 2020-05-29 19:01   ` Paul Moore
  2020-05-29 21:42     ` Casey Schaufler
  0 siblings, 1 reply; 5+ messages in thread
From: Paul Moore @ 2020-05-29 19:01 UTC (permalink / raw)
  To: Casey Schaufler; +Cc: Richard Guy Briggs, Linux-Audit Mailing List

On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> What does a NULL audit context (e.g. ab->cxt == NULL) tell
> me about the status of the audit buffer? It seems like it should
> be telling me that the audit buffer is being created for some
> purpose unrelated to the current task. And yet there are places
> where information is pulled from the current task even when
> the cxt is NULL.

The simple answer is that a NULL audit_context indicates a standalone
record, meaning a record with a unique timestamp so that it is not
associated with any other records into an event.  If the audit_context
it not NULL then the information in the context is used to group, or
associate, all of the records sharing that context into a single
event.

This is just one example, but a non-NULL audit_context is how PATH
records end up being associated with SYSCALL records in a single
event.

-- 
paul moore
www.paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: The audit "context" and when to expect it.
  2020-05-29 19:01   ` Paul Moore
@ 2020-05-29 21:42     ` Casey Schaufler
  2020-05-29 21:49       ` Paul Moore
  0 siblings, 1 reply; 5+ messages in thread
From: Casey Schaufler @ 2020-05-29 21:42 UTC (permalink / raw)
  To: Paul Moore; +Cc: Richard Guy Briggs, Linux-Audit Mailing List

On 5/29/2020 12:01 PM, Paul Moore wrote:
> On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> What does a NULL audit context (e.g. ab->cxt == NULL) tell
>> me about the status of the audit buffer? It seems like it should
>> be telling me that the audit buffer is being created for some
>> purpose unrelated to the current task. And yet there are places
>> where information is pulled from the current task even when
>> the cxt is NULL.
> The simple answer is that a NULL audit_context indicates a standalone
> record, meaning a record with a unique timestamp so that it is not
> associated with any other records into an event.  If the audit_context
> it not NULL then the information in the context is used to group, or
> associate, all of the records sharing that context into a single
> event.

OK, so if I want a add a sub-record with the multiple secctx values
for the events that include a subject value I need to change those
events to use an audit_context. Is that going to introduce an
unacceptable memory or performance burden?

>
> This is just one example, but a non-NULL audit_context is how PATH
> records end up being associated with SYSCALL records in a single
> event.
>


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: The audit "context" and when to expect it.
  2020-05-29 21:42     ` Casey Schaufler
@ 2020-05-29 21:49       ` Paul Moore
  2020-05-29 22:10         ` Casey Schaufler
  0 siblings, 1 reply; 5+ messages in thread
From: Paul Moore @ 2020-05-29 21:49 UTC (permalink / raw)
  To: Casey Schaufler; +Cc: Richard Guy Briggs, Linux-Audit Mailing List

On Fri, May 29, 2020 at 5:42 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 5/29/2020 12:01 PM, Paul Moore wrote:
> > On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >> What does a NULL audit context (e.g. ab->cxt == NULL) tell
> >> me about the status of the audit buffer? It seems like it should
> >> be telling me that the audit buffer is being created for some
> >> purpose unrelated to the current task. And yet there are places
> >> where information is pulled from the current task even when
> >> the cxt is NULL.
> > The simple answer is that a NULL audit_context indicates a standalone
> > record, meaning a record with a unique timestamp so that it is not
> > associated with any other records into an event.  If the audit_context
> > it not NULL then the information in the context is used to group, or
> > associate, all of the records sharing that context into a single
> > event.
>
> OK, so if I want a add a sub-record with the multiple secctx values

Terminology nit-pick: there are "records" and "events", there is
nothing we would call a sub-record.  In the case you are referring to,
this is a record which would always be part of a larger collection of
records.  It's similar to a PATH record in that it doesn't make sense
by itself, but when combined with the other records in an event, it
provides useful information.

> for the events that include a subject value I need to change those
> events to use an audit_context. Is that going to introduce an
> unacceptable memory or performance burden?

No more so than any additional record.  Or rather, it seems like this
is the only way to do what you want to do so I don't see a way around
it.

-- 
paul moore
www.paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: The audit "context" and when to expect it.
  2020-05-29 21:49       ` Paul Moore
@ 2020-05-29 22:10         ` Casey Schaufler
  0 siblings, 0 replies; 5+ messages in thread
From: Casey Schaufler @ 2020-05-29 22:10 UTC (permalink / raw)
  To: Paul Moore; +Cc: Richard Guy Briggs, Linux-Audit Mailing List

On 5/29/2020 2:49 PM, Paul Moore wrote:
> On Fri, May 29, 2020 at 5:42 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 5/29/2020 12:01 PM, Paul Moore wrote:
>>> On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>>>> What does a NULL audit context (e.g. ab->cxt == NULL) tell
>>>> me about the status of the audit buffer? It seems like it should
>>>> be telling me that the audit buffer is being created for some
>>>> purpose unrelated to the current task. And yet there are places
>>>> where information is pulled from the current task even when
>>>> the cxt is NULL.
>>> The simple answer is that a NULL audit_context indicates a standalone
>>> record, meaning a record with a unique timestamp so that it is not
>>> associated with any other records into an event.  If the audit_context
>>> it not NULL then the information in the context is used to group, or
>>> associate, all of the records sharing that context into a single
>>> event.
>> OK, so if I want a add a sub-record with the multiple secctx values
> Terminology nit-pick: there are "records" and "events", there is
> nothing we would call a sub-record.

Thanks. I stand corrected.

>   In the case you are referring to,
> this is a record which would always be part of a larger collection of
> records.  It's similar to a PATH record in that it doesn't make sense
> by itself, but when combined with the other records in an event, it
> provides useful information.
>
>> for the events that include a subject value I need to change those
>> events to use an audit_context. Is that going to introduce an
>> unacceptable memory or performance burden?
> No more so than any additional record.  Or rather, it seems like this
> is the only way to do what you want to do so I don't see a way around
> it.

That's what I'll do then. Thanks again.

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <45ce3357-ca82-8721-22d6-dabe751ad8fa.ref@schaufler-ca.com>
2020-05-29 17:59 ` The audit "context" and when to expect it Casey Schaufler
2020-05-29 19:01   ` Paul Moore
2020-05-29 21:42     ` Casey Schaufler
2020-05-29 21:49       ` Paul Moore
2020-05-29 22:10         ` Casey Schaufler

Linux-audit Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-audit/0 linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ https://lore.kernel.org/linux-audit \
		linux-audit@redhat.com
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.redhat.linux-audit


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git