Steve Grubb wrote:
On Wednesday 15 March 2006 14:31, Linda Knippers wrote:
> I don't understand why this record is a good idea.
Because it gives you extra information to search on. Suppose you wanted to see
any failed log messages for auid 501. Without the partial record, you won't
have the information for ausearch to key on.
Considering all the information that's duplicated, it seems like a
pretty heavyweight way to get the auid, and going back to Jason's
original mail, this doesn't seem to be the reason it was added.
Patch is below. The idea behind this patch is based on a suggestion
from
Steve Grubb to not call 'audit_syscall_entry' and 'audit_syscall_exit' if
there are no audit rules loaded. This is problematic for the case where
audit_log() is called in the middle of a system call (since we don't have
the entry parameters). We address this issue by creating a partial system
call record for this case, which contains the system call data that is
available at exit time.
I can understand wanting to optimize the code when there are no audit
rules (although one could optimize it by disabling audit) but the fact
that it created a problem for which the partial record is a solution
makes me question the approach.
-- ljk