On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <[email protected]> wrote: > What does a NULL audit context (e.g. ab->cxt == NULL) tell > me about the status of the audit buffer? It seems like it should > be telling me that the audit buffer is being created for some > purpose unrelated to the current task. And yet there are places > where information is pulled from the current task even when > the cxt is NULL.
The simple answer is that a NULL audit_context indicates a standalone record, meaning a record with a unique timestamp so that it is not associated with any other records into an event. If the audit_context it not NULL then the information in the context is used to group, or associate, all of the records sharing that context into a single event. This is just one example, but a non-NULL audit_context is how PATH records end up being associated with SYSCALL records in a single event. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
