On Fri, Oct 13, 2017 at 3:54 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
Since these are already standalone records (since the context passed
to
audit_log_start() is NULL) this info is necessary.
For the record, I don't have a problem with converting standalone
records to syscall accompanied records if that makes sense (not all
audit events can be attributed to a syscall).
Looking purely at the additional information mentioned in this thread,
e.g. pid/uid/session/tty, it would make me believe that these records
*could* be accompanied by a syscall (what is the point of recording
that information if it isn't triggered by a syscall?). However, I
can't say I've followed all the different fsnotify paths to know if
that is the case ... it may be a mix, and perhaps that would be an
argument for the logging this information in the accompanied SYSCALL
record (it's only recorded when it is valid).
I'm fine with the field ordering. If that is not acceptable,
I'd
recommend a new record type (AUDIT_TASK) to act as an aux record to this
record that lists this information in a standard order that can be used
as an aux record for all the standalone records that are missing this
information.
As I just said in the GH issue, I'm not a big fan of the aux record at
the moment (it seems too much of a dup with the SYSCALL record), but
I'm not going to rule it out.
--
paul moore
www.paul-moore.com