Re: [PATCH v15 21/23] Audit: Include object data for all security modules
On Mon, Mar 9, 2020 at 1:45 PM Casey Schaufler <casey(a)schaufler-ca.com> wrote:
On 3/6/2020 6:31 PM, Paul Moore wrote:
> Either way, the "obj=" field should stay where it is, but the
> "obj_XXX=" fields need to find their way to the end of the record.
As Steve pointed out, there may be a bigger issue here. If the additional
fields aren't going to fit in MAX_AUDIT_MESSAGE_LENGTH bytes another
format may be required. I had hoped that perhaps obj_selinux= might count
as a refinement to obj= and hence not be considered a new field, but
it looks like that's not flying.
Regardless, the field placement guidance remains the same.
As far as the record limitation; yes, Steve's audit userspace does
have a limit, but I do wonder how limiting an 8k record size really is
for the majority of systems. My guess is "not too bad". If you are
concerned about that, I imagine you could always tack on a new record
to relevant events with additional LSM subj/obj info. Some of the
audit container ID pre-work have made that less painful than it would
have been in the past, but it will still be a bit of work to get it
right.
--
paul moore
www.paul-moore.com