From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E964EC433FE for ; Thu, 4 Nov 2021 21:29:51 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 62A4D6120F for ; Thu, 4 Nov 2021 21:29:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 62A4D6120F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=paul-moore.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-154-NunSAZJ3MjKpe6ZJm97a_A-1; Thu, 04 Nov 2021 17:29:47 -0400 X-MC-Unique: NunSAZJ3MjKpe6ZJm97a_A-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 11F001017965; Thu, 4 Nov 2021 21:29:44 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F2F55101E58D; Thu, 4 Nov 2021 21:29:43 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 432F34EA2F; Thu, 4 Nov 2021 21:29:43 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1A4LTge2027058 for ; Thu, 4 Nov 2021 17:29:42 -0400 Received: by smtp.corp.redhat.com (Postfix) id E02C02026D67; Thu, 4 Nov 2021 21:29:41 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DAF252026D64 for ; Thu, 4 Nov 2021 21:29:37 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9C160811E76 for ; Thu, 4 Nov 2021 21:29:37 +0000 (UTC) Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-98-OejAxb3oPyikts43uA0trA-1; Thu, 04 Nov 2021 17:29:36 -0400 X-MC-Unique: OejAxb3oPyikts43uA0trA-1 Received: by mail-ed1-f54.google.com with SMTP id g14so25601211edz.2 for ; Thu, 04 Nov 2021 14:29:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/6YML2D/05ao1mkLF78Y1LF/vtg397KaO6EVzMAKD0s=; b=62vPza+SQCmK7Rd6KzPr+5mFMvuWhkTeRpDw3bpzFnwyHi0Nzrphh0u/NWffF7JD/d qvQmMA1NwIaPN32QZIybBt9qyHhvTfU/h78I9SSGpi4QPfOm7ER7tyOmSygXM9v9lcfe X4dkkWd0R9l0OTtY6XFVoW4GtQCY+CuisidEdh/zbzmuTdIdHuBJ+lVyHnZG3aXYFXfY VeZZBzoblLR9Yktpm1LpcOz3yhiatQHtCkE9ASJvjZeWPKGg9MxfNIZ1kVQ98ewgrgnz geQmAgHAvrwLFA+l9jwjAUDZmehhR5XfEGbP9ufBg3MxBxqnc7ds7gzgnUN+XJaPqFxO PrgQ== X-Gm-Message-State: AOAM531CpZhohf8diw7j6i/xn6GVywyOrci5GyxZSUg6P9jHjdK8cA5o pv4iLrouWrD3ZUEu9jxBx/1mekHCaXU/rQ+UsD87 X-Google-Smtp-Source: ABdhPJxZc3czqC1mqgn5s2auPFXs0bdAZfp6wn11TSCoSO9JOIj8OnrojEDDCr8+CZO8dNo2fNH28WisjhyXOJuskKw= X-Received: by 2002:a05:6402:4255:: with SMTP id g21mr18071880edb.256.1636061374808; Thu, 04 Nov 2021 14:29:34 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Thu, 4 Nov 2021 17:29:24 -0400 Message-ID: Subject: Re: [RFC PATCH v1] audit: log AUDIT_TIME_* records only from rules To: Richard Guy Briggs X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: linux-audit@redhat.com Cc: Eric Paris , Linux-Audit Mailing List X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Thu, Nov 4, 2021 at 5:00 PM Richard Guy Briggs wrote: > > AUDIT_TIME_* events are generated when there are syscall rules present that are > not related to time keeping. This will produce noisy log entries that could > flood the logs and hide events we really care about. > > Rather than immediately produce the AUDIT_TIME_* records, store the data and > log it at syscall exit time respecting the filter rules. > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919 Unfortunately that URL isn't publicly accessible. It might be helpful to simply add the relevant information to the commit description[1] and omit the link entirely. Since this is just an RFC, please don't resend the patch just to include that information, you can simply reply to this thread with the additional info. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit