Re: [PATCH v2] audit: log AUDIT_TIME_* records only from rules
On Fri, Jan 21, 2022 at 11:17 AM Richard Guy Briggs <rgb(a)redhat.com> wrote:
AUDIT_TIME_* events are generated when there are syscall rules present that are
not related to time keeping. This will produce noisy log entries that could
flood the logs and hide events we really care about.
Rather than immediately produce the AUDIT_TIME_* records, store the data in the
context and log it at syscall exit time respecting the filter rules.
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919
I haven't made sense of the rest of the patch yet, but *please* do not
include non-public sources of information in patch descriptions.
(... and please don't respin this patch just for that, just keep it in
mind for future work.)
Fixes: 7e8eda734d30 ("ntp: Audit NTP parameters
adjustment")
Fixes: 2d87a0674bd6 ("timekeeping: Audit clock adjustments")
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Changelog:
v2:
- rename __audit_ntp_log_ to audit_log_ntp
- pre-check ntp before storing
- move tk out of the context union and move ntp logging to the bottom of
audit_show_special()
- restructure logging of ntp to use ab and allocate more only if more
- add Fixes lines
kernel/audit.h | 2 ++
kernel/auditsc.c | 77 +++++++++++++++++++++++++++++++++++-------------
2 files changed, 59 insertions(+), 20 deletions(-)
--
paul moore
paul-moore.com