Thank you for all replies and Sorry, I am new to this audit subsystem field.

I am facing the problem in the initial stage itself that,Where to add the new field in the source code, as per my work understanding in the below code,Is it possible to fine tune by adding new field say,"APPLICATION ID" in that structure.

If not possible, What is the impact ? OR
Is it possible to add a new member without any impact?
Please Suggest me with some IDEA where new field in audit structure can be added and It should not break compatibility.Provide Documentation where I can refer to do.
Once I am clear with the method I can Share the code to review.
 Kernel/audit.c
void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
1873 {
1874         const struct cred *cred;
1875         char comm[sizeof(tsk->comm)];
1876         char *tty;
1877 
1878         if (!ab)
1879                 return;
1880 
1881         /* tsk == current */
1882         cred = current_cred();
1883 
1884         spin_lock_irq(&tsk->sighand->siglock);
1885         if (tsk->signal && tsk->signal->tty && tsk->signal->tty->name)
1886                 tty = tsk->signal->tty->name;
1887         else
1888                 tty = "(none)";
1889         spin_unlock_irq(&tsk->sighand->siglock);
1890 
1891         audit_log_format(ab,
1892                          " ppid=%d pid=%d auid=%u uid=%u gid=%u"
1893                          " euid=%u suid=%u fsuid=%u"
1894                          " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
1895                          task_ppid_nr(tsk),
1896                          task_pid_nr(tsk),
1897                          from_kuid(&init_user_ns, audit_get_loginuid(tsk)),
1898                          from_kuid(&init_user_ns, cred->uid),
1899                          from_kgid(&init_user_ns, cred->gid),
1900                          from_kuid(&init_user_ns, cred->euid),
1901                          from_kuid(&init_user_ns, cred->suid),
1902                          from_kuid(&init_user_ns, cred->fsuid),
1903                          from_kgid(&init_user_ns, cred->egid),
1904                          from_kgid(&init_user_ns, cred->sgid),
1905                          from_kgid(&init_user_ns, cred->fsgid),
1906    +                      tty, audit_get_sessionid(tsk),ApplicationID............);
1907 
1908         audit_log_format(ab, " comm=");
1909         audit_log_untrustedstring(ab, get_task_comm(comm, tsk));
1910 
1911         audit_log_d_path_exe(ab, tsk->mm);
1912         audit_log_task_context(ab);
1913 }




On Tue, Apr 26, 2016 at 6:07 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
On 16/04/25, Deepika Sundar wrote:
> I wanted to add the namespace information in the audit record for example
> pid_ns,user_ns,net_ns ,Is there any possibility to add this field inside
> Audit structure?

We've been looking at this issue for several years now and don't have an
obvious solution yet.  There has been discussion on this list.  It is on
the radar:

        https://bugzilla.redhat.com/show_bug.cgi?id=1045666


> On Thu, Apr 21, 2016 at 6:28 PM, Paul Moore <pmoore@redhat.com> wrote:
> > As we've already mentioned several times, we can make no guarantees
> > regarding functionality or compatibility without seeing your code.
> > While it may be frustrating, this is how Open Source development
> > works.
> >
> > If you are interested in our help you will need to describe, in
> > detail, what you are trying to do and ideally post your existing code
> > so it can be reviewed.
> >
> > On Thu, Apr 21, 2016 at 1:25 AM, Deepika Sundar
> > <sundar.deepika18@gmail.com> wrote:
> > > Okay,If I update the Ausearch/aureport in order to aware of the new
> > field in
> > > the audit log structure can it be feasible one?
> > >
> > > On Wed, Apr 20, 2016 at 6:00 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > >>
> > >> On Wednesday, April 20, 2016 10:05:42 AM Deepika Sundar wrote:
> > >> > In general way,Is there any compatibility issues if audit log
> > structure
> > >> > gets modified?
> > >>
> > >> Yes, there can be problems if the log structure gets modified.
> > >> Ausearch/report
> > >> are highly optimized for an exact format.
> > >>
> > >> -Steve
> > >>
> > >>
> > >> > On Wed, Apr 13, 2016 at 6:01 PM, Steve Grubb <sgrubb@redhat.com>
> > wrote:
> > >> > > On Wednesday, April 13, 2016 11:03:43 AM Deepika Sundar wrote:
> > >> > > > As per my understanding audit log structure can be extendible
> > based
> > >> > > > on
> > >> > > > requirements and in my project I need to add the identifier field
> > >> > > > for
> > >> > > > the
> > >> > > > application and as of now I couldn't able to revel the What
> > >> > > > application
> > >> > > > trying to develop to update.So,Is there any possibility that
> > without
> > >> > > > breaking any Compatibility issues I can do it ?
> > >> > >
> > >> > > I have no idea what you are doing so there is no guarantee that it
> > >> > > won't
> > >> > > break
> > >> > > something. If your project is going to be released as open source
> > its
> > >> > > generally best to collaborate with people so that problems can be
> > >> > > pointed
> > >> > > out.
> > >> > > Otherwise you risk spending a lot of time on something only to have
> > it
> > >> > > rejected.
> > >> > >
> > >> > > -Steve
> > >> > >
> > >> > > > OR If any compatibility issues please specify .
> > >> > > >
> > >> > > > On Fri, Apr 8, 2016 at 12:12 AM, Paul Moore <paul@paul-moore.com>
> > >> > > > wrote:
> > >> > > > > On Thu, Apr 7, 2016 at 12:47 AM, Deepika Sundar
> > >> > > > >
> > >> > > > > <sundar.deepika18@gmail.com> wrote:
> > >> > > > > > In the same way, in the kernel side
> > >> > > > > > Can I able to add one new field to the audit log structure
> > >> > > > > > without
> > >> > > > >
> > >> > > > > breaking
> > >> > > > >
> > >> > > > > > Compatibility? If so,
> > >> > > > > >
> > >> > > > > >   1.How can I add new field without breaking compatibility?
> > >> > > > > >
> > >> > > > > >      or
> > >> > > > > >
> > >> > > > > >   2.Is there any reserve field in audit log structure so that
> > I
> > >> > > > > > can
> > >> > >
> > >> > > make
> > >> > >
> > >> > > > > use
> > >> > > > >
> > >> > > > > >     of it?
> > >> > > > >
> > >> > > > > You need to be more specific about what you are trying to do.
> > >> > > > > Speaking generally, unless you work to get your changed merged
> > >> > > > > into
> > >> > > > > the upstream kernel and userspace tools we cannot guarantee
> > >> > > > > present or
> > >> > > > > future compatibility.
> > >> > > > >
> > >> > > > > --
> > >> > > > > paul moore
> > >> > > > > www.paul-moore.com
> > >>
> > >
> > >
> > > --
> > > Linux-audit mailing list
> > > Linux-audit@redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
> >
> >
> >
> > --
> > paul moore
> > security @ redhat
> >

> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit


- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635