The audit "context" and when to expect it.

The audit "context" and when to expect it.

[Casey Schaufler]

What does a NULL audit context (e.g. ab->cxt == NULL) tell
me about the status of the audit buffer? It seems like it should
be telling me that the audit buffer is being created for some
purpose unrelated to the current task. And yet there are places
where information is pulled from the current task even when
the cxt is NULL.



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: The audit "context" and when to expect it.

[Paul Moore]

On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> What does a NULL audit context (e.g. ab->cxt == NULL) tell
> me about the status of the audit buffer? It seems like it should
> be telling me that the audit buffer is being created for some
> purpose unrelated to the current task. And yet there are places
> where information is pulled from the current task even when
> the cxt is NULL.

The simple answer is that a NULL audit_context indicates a standalone
record, meaning a record with a unique timestamp so that it is not
associated with any other records into an event.  If the audit_context
it not NULL then the information in the context is used to group, or
associate, all of the records sharing that context into a single
event.

This is just one example, but a non-NULL audit_context is how PATH
records end up being associated with SYSCALL records in a single
event.

-- 
paul moore
www.paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: The audit "context" and when to expect it.

[Casey Schaufler]

On 5/29/2020 12:01 PM, Paul Moore wrote:
> On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> What does a NULL audit context (e.g. ab->cxt == NULL) tell
>> me about the status of the audit buffer? It seems like it should
>> be telling me that the audit buffer is being created for some
>> purpose unrelated to the current task. And yet there are places
>> where information is pulled from the current task even when
>> the cxt is NULL.
> The simple answer is that a NULL audit_context indicates a standalone
> record, meaning a record with a unique timestamp so that it is not
> associated with any other records into an event.  If the audit_context
> it not NULL then the information in the context is used to group, or
> associate, all of the records sharing that context into a single
> event.

OK, so if I want a add a sub-record with the multiple secctx values
for the events that include a subject value I need to change those
events to use an audit_context. Is that going to introduce an
unacceptable memory or performance burden?

>
> This is just one example, but a non-NULL audit_context is how PATH
> records end up being associated with SYSCALL records in a single
> event.
>


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: The audit "context" and when to expect it.

[Paul Moore]

On Fri, May 29, 2020 at 5:42 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 5/29/2020 12:01 PM, Paul Moore wrote:
> > On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >> What does a NULL audit context (e.g. ab->cxt == NULL) tell
> >> me about the status of the audit buffer? It seems like it should
> >> be telling me that the audit buffer is being created for some
> >> purpose unrelated to the current task. And yet there are places
> >> where information is pulled from the current task even when
> >> the cxt is NULL.
> > The simple answer is that a NULL audit_context indicates a standalone
> > record, meaning a record with a unique timestamp so that it is not
> > associated with any other records into an event.  If the audit_context
> > it not NULL then the information in the context is used to group, or
> > associate, all of the records sharing that context into a single
> > event.
>
> OK, so if I want a add a sub-record with the multiple secctx values

Terminology nit-pick: there are "records" and "events", there is
nothing we would call a sub-record.  In the case you are referring to,
this is a record which would always be part of a larger collection of
records.  It's similar to a PATH record in that it doesn't make sense
by itself, but when combined with the other records in an event, it
provides useful information.

> for the events that include a subject value I need to change those
> events to use an audit_context. Is that going to introduce an
> unacceptable memory or performance burden?

No more so than any additional record.  Or rather, it seems like this
is the only way to do what you want to do so I don't see a way around
it.

-- 
paul moore
www.paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: The audit "context" and when to expect it.

[Casey Schaufler]

On 5/29/2020 2:49 PM, Paul Moore wrote:
> On Fri, May 29, 2020 at 5:42 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 5/29/2020 12:01 PM, Paul Moore wrote:
>>> On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>>>> What does a NULL audit context (e.g. ab->cxt == NULL) tell
>>>> me about the status of the audit buffer? It seems like it should
>>>> be telling me that the audit buffer is being created for some
>>>> purpose unrelated to the current task. And yet there are places
>>>> where information is pulled from the current task even when
>>>> the cxt is NULL.
>>> The simple answer is that a NULL audit_context indicates a standalone
>>> record, meaning a record with a unique timestamp so that it is not
>>> associated with any other records into an event.  If the audit_context
>>> it not NULL then the information in the context is used to group, or
>>> associate, all of the records sharing that context into a single
>>> event.
>> OK, so if I want a add a sub-record with the multiple secctx values
> Terminology nit-pick: there are "records" and "events", there is
> nothing we would call a sub-record.

Thanks. I stand corrected.

>   In the case you are referring to,
> this is a record which would always be part of a larger collection of
> records.  It's similar to a PATH record in that it doesn't make sense
> by itself, but when combined with the other records in an event, it
> provides useful information.
>
>> for the events that include a subject value I need to change those
>> events to use an audit_context. Is that going to introduce an
>> unacceptable memory or performance burden?
> No more so than any additional record.  Or rather, it seems like this
> is the only way to do what you want to do so I don't see a way around
> it.

That's what I'll do then. Thanks again.

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit