Re: [PATCH v2] audit: log AUDIT_TIME_* records only from rules

AUDIT_TIME_* events are generated when there are syscall rules present that are not related to time keeping. This will produce noisy log entries that could flood the logs and hide events we really care about. Rather than immediately produce the AUDIT_TIME_* records, store the data in the context and log it at syscall exit time respecting the filter rules. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1991919 Fixes: 7e8eda734d30 ("ntp: Audit NTP parameters adjustment") Fixes: 2d87a0674bd6 ("timekeeping: Audit clock adjustments") Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; --- Changelog: v2: - rename __audit_ntp_log_ to audit_log_ntp - pre-check ntp before storing - move tk out of the context union and move ntp logging to the bottom of audit_show_special() - restructure logging of ntp to use ab and allocate more only if more - add Fixes lines kernel/audit.h | 2 ++ kernel/auditsc.c | 77 +++++++++++++++++++++++++++++++++++------------- 2 files changed, 59 insertions(+), 20 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index c4498090a5bd..11789249d838 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -201,8 +201,10 @@ struct audit_context { struct { char *name; } module; + struct audit_ntp_data ntp_data; }; int fds[2]; + struct timespec64 tk_injoffset; struct audit_proctitle proctitle; };