On 2021-11-04 17:29, Paul Moore wrote:
On Thu, Nov 4, 2021 at 5:00 PM Richard Guy Briggs
<rgb(a)redhat.com> wrote:
>
> AUDIT_TIME_* events are generated when there are syscall rules present that are
> not related to time keeping. This will produce noisy log entries that could
> flood the logs and hide events we really care about.
>
> Rather than immediately produce the AUDIT_TIME_* records, store the data and
> log it at syscall exit time respecting the filter rules.
>
> Please see
https://bugzilla.redhat.com/show_bug.cgi?id=1991919
Unfortunately that URL isn't publicly accessible. It might be helpful
to simply add the relevant information to the commit description[1]
and omit the link entirely. Since this is just an RFC, please don't
resend the patch just to include that information, you can simply
reply to this thread with the additional info.
Hmmm, sorry about that. There isn't really anything in that bz that
shouldn't be public, but I'll check before openning it up...
Basically it was a report that:
TIME_ADJNTPVAL audit events are not generated if there are no syscalls
rules, but that these events are generated when at least one unrelated
syscall rule is added.
This behaviour was confirmed but the conclusion about what should be the
correct behaviour differed from that of the reporter.
paul moore
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635