Re: The audit "context" and when to expect it.

Friday, 29 May 2020

On Fri, May 29, 2020 at 1:59 PM Casey Schaufler <casey(a)schaufler-ca.com&gt; wrote:
...
 What does a NULL audit context (e.g. ab->cxt == NULL) tell
 me about the status of the audit buffer? It seems like it should
 be telling me that the audit buffer is being created for some
 purpose unrelated to the current task. And yet there are places
 where information is pulled from the current task even when
 the cxt is NULL. 
The simple answer is that a NULL audit_context indicates a standalone
record, meaning a record with a unique timestamp so that it is not
associated with any other records into an event.  If the audit_context
it not NULL then the information in the context is used to group, or
associate, all of the records sharing that context into a single
event.

This is just one example, but a non-NULL audit_context is how PATH
records end up being associated with SYSCALL records in a single
event.

-- 
paul moore
www.paul-moore.com

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: The audit "context" and when to expect it.