On 5/29/2020 2:49 PM, Paul Moore wrote: > On Fri, May 29, 2020 at 5:42 PM Casey Schaufler <[email protected]> > wrote: >> On 5/29/2020 12:01 PM, Paul Moore wrote: >>> On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <[email protected]> >>> wrote: >>>> What does a NULL audit context (e.g. ab->cxt == NULL) tell >>>> me about the status of the audit buffer? It seems like it should >>>> be telling me that the audit buffer is being created for some >>>> purpose unrelated to the current task. And yet there are places >>>> where information is pulled from the current task even when >>>> the cxt is NULL. >>> The simple answer is that a NULL audit_context indicates a standalone >>> record, meaning a record with a unique timestamp so that it is not >>> associated with any other records into an event. If the audit_context >>> it not NULL then the information in the context is used to group, or >>> associate, all of the records sharing that context into a single >>> event. >> OK, so if I want a add a sub-record with the multiple secctx values > Terminology nit-pick: there are "records" and "events", there is > nothing we would call a sub-record.
Thanks. I stand corrected. > In the case you are referring to, > this is a record which would always be part of a larger collection of > records. It's similar to a PATH record in that it doesn't make sense > by itself, but when combined with the other records in an event, it > provides useful information. > >> for the events that include a subject value I need to change those >> events to use an audit_context. Is that going to introduce an >> unacceptable memory or performance burden? > No more so than any additional record. Or rather, it seems like this > is the only way to do what you want to do so I don't see a way around > it. That's what I'll do then. Thanks again. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
