Re: Audit record emission
On Thu, 2005-05-05 at 15:37 -0400, Steve Grubb wrote:
Hi,
I was looking into a problem from the test team and ran across this comment in
the kernel code:
http://lxr.linux.no/source/kernel/auditsc.c#L652
It basically says that audit records may be emitted as event records are
generated as opposed to syscall exit. The problem shows up during stress
testing. The records that get sent from the kernel are no where close to each
other and are hard to correlate.
The comment says that if the current technique isn't suitable, maybe we can
keep formatted records off of the context and then send them all at syscall
exit.
Can anyone see any problems with changing this?
The comment is primarily addressed to other users of the audit
subsystem, like SELinux, which immediately generate audit records of
their own rather than saving their data in the current audit context for
later processing by audit_log_exit. For all other audit generation, it
should all occur from audit_log_exit IIUC. However, audit_log_exit()
presently uses several audit_log_start()...audit_log_end() sequences
rather than a single one, which does split up the syscall audit record
information. I'm not entirely sure why it doesn't just bracket the
entire body of audit_log_exit() with a single audit_log_start
();....audit_log_end(); sequence.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency