On Thu, Nov 4, 2021 at 5:00 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
AUDIT_TIME_* events are generated when there are syscall rules present that are
not related to time keeping. This will produce noisy log entries that could
flood the logs and hide events we really care about.
Rather than immediately produce the AUDIT_TIME_* records, store the data and
log it at syscall exit time respecting the filter rules.
Please see
https://bugzilla.redhat.com/show_bug.cgi?id=1991919
Unfortunately that URL isn't publicly accessible. It might be helpful
to simply add the relevant information to the commit description[1]
and omit the link entirely. Since this is just an RFC, please don't
resend the patch just to include that information, you can simply
reply to this thread with the additional info.
--
paul moore
www.paul-moore.com