Audit record emission

Thursday, 5 May 2005

Hi,

I was looking into a problem from the test team and ran across this comment in 
the kernel code:

http://lxr.linux.no/source/kernel/auditsc.c#L652

It basically says that audit records may be emitted as event records are 
generated as opposed to syscall exit. The problem shows up during stress 
testing. The records that get sent from the kernel are no where close to each 
other and are hard to correlate.

The comment says that if the current technique isn't suitable, maybe we can 
keep formatted records off of the context and then send them all at syscall 
exit. 

Can anyone see any problems with changing this?

-Steve

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Audit record emission