On Fri, Jan 15, 2021 at 9:43 PM Burn Alting <[email protected]> wrote: > On Fri, 2021-01-15 at 19:35 -0500, Richard Guy Briggs wrote: >> Or we go back to userspace code looking for the EOE record? This >> doesn't help if they arrive out of order. Do we number the records in >> the kernel? N of M... > > I like the N of M concept but there would be a LOT of change - especially for > all the non-kernel event sources. The EOE would be the most seamless, but at > a cost. > My preference is to allow the 2 second 'timer' to be configurable.
Agree with Burn, numbering the records coming up from the kernel is going to be a real nightmare, and not something to consider lightly. Especially when it sounds like we don't yet have a root cause for the issue. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
