Re: The audit "context" and when to expect it.

On Fri, May 29, 2020 at 5:42 PM Casey Schaufler <casey(a)schaufler-ca.com&gt; wrote: > On 5/29/2020 12:01 PM, Paul Moore wrote: >> On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey(a)schaufler-ca.com&gt; wrote: >>> What does a NULL audit context (e.g. ab->cxt == NULL) tell >>> me about the status of the audit buffer? It seems like it should >>> be telling me that the audit buffer is being created for some >>> purpose unrelated to the current task. And yet there are places >>> where information is pulled from the current task even when >>> the cxt is NULL. >> The simple answer is that a NULL audit_context indicates a standalone >> record, meaning a record with a unique timestamp so that it is not >> associated with any other records into an event. If the audit_context >> it not NULL then the information in the context is used to group, or >> associate, all of the records sharing that context into a single >> event. > OK, so if I want a add a sub-record with the multiple secctx values Terminology nit-pick: there are "records" and "events", there is nothing we would call a sub-record.

In the case you are referring to, this is a record which would always be part of a larger collection of records. It's similar to a PATH record in that it doesn't make sense by itself, but when combined with the other records in an event, it provides useful information. > for the events that include a subject value I need to change those > events to use an audit_context. Is that going to introduce an > unacceptable memory or performance burden? No more so than any additional record. Or rather, it seems like this is the only way to do what you want to do so I don't see a way around it.