On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <[email protected]> wrote: > > It may be useful to synchronize with the audit's timestamp e.g., to > identify asynchronous events as being created with a previous audit > record (see next commit). > > auditsc_get_stamp() does more than just getting a timestamp, so add a > new helper instead of exposing it and risking side effects. > > It should be noted that we cannot reliably expose event's serial numbers > because there may not be any related event, which would then create > holes in the sequence of serial numbers. > > Cc: Eric Paris <[email protected]> > Cc: Paul Moore <[email protected]> > Signed-off-by: Mickaël Salaün <[email protected]> > Link: https://lore.kernel.org/r/[email protected] > --- > Changes since v2: > - New patch. > --- > include/linux/audit.h | 8 ++++++++ > kernel/auditsc.c | 21 ++++++++++++++++++--- > 2 files changed, 26 insertions(+), 3 deletions(-)
I need to see where you actually use this, but I'm not sure I want to expost the audit timestamp outside of the audit subsystem. Okay, I found at least one user in patch 10/23, and no, that's not something I think we want to support with audit. More about this in patch 10/23. -- paul-moore.com
