Re: [PATCH 1/1] audit: add missing fields to AUDIT_CONFIG_CHANGE event

On Monday, October 16, 2017 11:27:06 AM EDT Richard Guy Briggs wrote: > On 2017-10-13 21:11, Paul Moore wrote: > > On Fri, Oct 13, 2017 at 3:54 PM, Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > > > Since these are already standalone records (since the context passed to > > > audit_log_start() is NULL) this info is necessary. > > > > For the record, I don't have a problem with converting standalone > > records to syscall accompanied records if that makes sense (not all > > audit events can be attributed to a syscall). > > I don't either. I think I've fixed a couple like that in the past when > I thought it made sense. My main objection to this is on wasting disk space and hurting search performance. We don't need group information or extended uid information or the actual syscall because it will always be a write nor do we need the arch or arguments. It also eats more memory when parsing and we have lots of extra fields that now need strtok to iterate over. I'd almost rather add a task record because its more conservative, but syscall is the only kind of event that carries auxiliary records. We'd have to probably create something to do that if we did go that way. But it sounds like more trouble than just adding a couple required fields.