On Fri, May 29, 2020 at 5:42 PM Casey Schaufler <[email protected]> wrote: > On 5/29/2020 12:01 PM, Paul Moore wrote: > > On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <[email protected]> > > wrote: > >> What does a NULL audit context (e.g. ab->cxt == NULL) tell > >> me about the status of the audit buffer? It seems like it should > >> be telling me that the audit buffer is being created for some > >> purpose unrelated to the current task. And yet there are places > >> where information is pulled from the current task even when > >> the cxt is NULL. > > The simple answer is that a NULL audit_context indicates a standalone > > record, meaning a record with a unique timestamp so that it is not > > associated with any other records into an event. If the audit_context > > it not NULL then the information in the context is used to group, or > > associate, all of the records sharing that context into a single > > event. > > OK, so if I want a add a sub-record with the multiple secctx values
Terminology nit-pick: there are "records" and "events", there is nothing we would call a sub-record. In the case you are referring to, this is a record which would always be part of a larger collection of records. It's similar to a PATH record in that it doesn't make sense by itself, but when combined with the other records in an event, it provides useful information. > for the events that include a subject value I need to change those > events to use an audit_context. Is that going to introduce an > unacceptable memory or performance burden? No more so than any additional record. Or rather, it seems like this is the only way to do what you want to do so I don't see a way around it. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
