On 2017-10-13 21:11, Paul Moore wrote: > On Fri, Oct 13, 2017 at 3:54 PM, Richard Guy Briggs <[email protected]> wrote: > > Since these are already standalone records (since the context passed to > > audit_log_start() is NULL) this info is necessary. > > For the record, I don't have a problem with converting standalone > records to syscall accompanied records if that makes sense (not all > audit events can be attributed to a syscall).
I don't either. I think I've fixed a couple like that in the past when I thought it made sense. > Looking purely at the additional information mentioned in this thread, > e.g. pid/uid/session/tty, it would make me believe that these records > *could* be accompanied by a syscall (what is the point of recording > that information if it isn't triggered by a syscall?). However, I > can't say I've followed all the different fsnotify paths to know if > that is the case ... it may be a mix, and perhaps that would be an > argument for the logging this information in the accompanied SYSCALL > record (it's only recorded when it is valid). Ok, fair enough. There are some records generated by actions that seem indirect for watches and trees, but I suppose they are all ultimately triggered by a user action... The issue I still get stuck with is how do we make sure we put in rules to catch all the CONFIG_CHANGE instances without getting flooded by all sorts of other stuff we don't want? > > I'm fine with the field ordering. If that is not acceptable, I'd > > recommend a new record type (AUDIT_TASK) to act as an aux record to this > > record that lists this information in a standard order that can be used > > as an aux record for all the standalone records that are missing this > > information. > > As I just said in the GH issue, I'm not a big fan of the aux record at > the moment (it seems too much of a dup with the SYSCALL record), but > I'm not going to rule it out. > > -- > paul moore > www.paul-moore.com - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
