On Mon, Mar 9, 2020 at 1:45 PM Casey Schaufler <[email protected]> wrote: > On 3/6/2020 6:31 PM, Paul Moore wrote: > > Either way, the "obj=" field should stay where it is, but the > > "obj_XXX=" fields need to find their way to the end of the record. > > As Steve pointed out, there may be a bigger issue here. If the additional > fields aren't going to fit in MAX_AUDIT_MESSAGE_LENGTH bytes another > format may be required. I had hoped that perhaps obj_selinux= might count > as a refinement to obj= and hence not be considered a new field, but > it looks like that's not flying.
Regardless, the field placement guidance remains the same. As far as the record limitation; yes, Steve's audit userspace does have a limit, but I do wonder how limiting an 8k record size really is for the majority of systems. My guess is "not too bad". If you are concerned about that, I imagine you could always tack on a new record to relevant events with additional LSM subj/obj info. Some of the audit container ID pre-work have made that less painful than it would have been in the past, but it will still be a bit of work to get it right. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
