On 2020-12-07 18:28, Steve Grubb wrote:
> Hello Max,
>
> On Monday, December 7, 2020 4:28:14 PM EST Max Englander wrote:
> > Steve, I'm happy to make changes to the userspace PR based on
> > Richard's suggestions, if that sounds good to you. I'll follow up in
> > the PR to discuss it more
>
> The only issue is new userspace on old kernel. I think if we use both the
> configure macro in addition to a size check, then it will at least allow
> forward and backward compatibility.
Are you talking about a new userspace compiled on a new kernel header
file run on an old kernel? That would be less reliable and need the
size check. The bitmap would be the most reliable in that scenario.
By configure macro are you talking about the presence of that audit
status mask bit, or the presence of that struct audit_status member?
> Other metrics would be good. I'd like to see a max_backlog to know if we are
> wasting memory. It would just record the highwater mark since auditing was
> enabled.
That would be covered with this issue:
https://github.com/linux-audit/audit-kernel/issues/63
> -Steve
- RGB
--
Richard Guy Briggs <r...@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
