On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <m...@digikod.net> wrote: > > It may be useful to synchronize with the audit's timestamp e.g., to > identify asynchronous events as being created with a previous audit > record (see next commit). > > auditsc_get_stamp() does more than just getting a timestamp, so add a > new helper instead of exposing it and risking side effects. > > It should be noted that we cannot reliably expose event's serial numbers > because there may not be any related event, which would then create > holes in the sequence of serial numbers. > > Cc: Eric Paris <epa...@redhat.com> > Cc: Paul Moore <p...@paul-moore.com> > Signed-off-by: Mickaël Salaün <m...@digikod.net> > Link: https://lore.kernel.org/r/20241122143353.59367-10-...@digikod.net > --- > Changes since v2: > - New patch. > --- > include/linux/audit.h | 8 ++++++++ > kernel/auditsc.c | 21 ++++++++++++++++++--- > 2 files changed, 26 insertions(+), 3 deletions(-)
I need to see where you actually use this, but I'm not sure I want to expost the audit timestamp outside of the audit subsystem. Okay, I found at least one user in patch 10/23, and no, that's not something I think we want to support with audit. More about this in patch 10/23. -- paul-moore.com
