From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E7AAC28CBC for ; Wed, 6 May 2020 21:28:15 +0000 (UTC) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EC8B82075A for ; Wed, 6 May 2020 21:28:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="i4BMCguE" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EC8B82075A Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588800493; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=mLf7Tkk7Y5aVDFMz7SfXc90S4EIpzI8CTB7gb/junEw=; b=i4BMCguESOCGFXrh3X9uIwDdjdFntyhGMWgS/Yx8KOMHFzw3y7dn5c0w5dltefd/etVJFu ZjpGPl7Gjdn1rIoIzfFUr/VvtEK7Mxbv1rZWDksLFs8ezzvLTzixCcXxOxVqUfA6Y5Rvmk 0GWjxKwr+HE/uvigGfTZ2J5llO9O3KM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-507-WLom1xBTNJaWak9VcWC89Q-1; Wed, 06 May 2020 17:28:12 -0400 X-MC-Unique: WLom1xBTNJaWak9VcWC89Q-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6304A107ACF3; Wed, 6 May 2020 21:28:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 701875EE13; Wed, 6 May 2020 21:28:05 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A425E4CAA7; Wed, 6 May 2020 21:28:02 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 046LQXq7013082 for ; Wed, 6 May 2020 17:26:33 -0400 Received: by smtp.corp.redhat.com (Postfix) id 6110710021B3; Wed, 6 May 2020 21:26:33 +0000 (UTC) Received: from x2.localnet (ovpn-113-240.phx2.redhat.com [10.3.113.240]) by smtp.corp.redhat.com (Postfix) with ESMTP id EE2B510013D9; Wed, 6 May 2020 21:26:26 +0000 (UTC) From: Steve Grubb To: Richard Guy Briggs Subject: Re: [PATCH ghak25 v4 3/3] audit: add subj creds to NETFILTER_CFG record to cover async unregister Date: Wed, 06 May 2020 17:26:25 -0400 Message-ID: <3250272.v6NOfJhyum@x2> Organization: Red Hat In-Reply-To: <20200429213247.6ewxqf66i2apgyuz@madcap2.tricolour.ca> References: <3348737.k9gCtgYObn@x2> <20200429213247.6ewxqf66i2apgyuz@madcap2.tricolour.ca> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 046LQXq7013082 X-loop: linux-audit@redhat.com Cc: fw@strlen.de, LKML , Linux-Audit Mailing List , netfilter-devel@vger.kernel.org, ebiederm@xmission.com, twoerner@redhat.com, Eric Paris , tgraf@infradead.org X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 T24gV2VkbmVzZGF5LCBBcHJpbCAyOSwgMjAyMCA1OjMyOjQ3IFBNIEVEVCBSaWNoYXJkIEd1eSBC cmlnZ3Mgd3JvdGU6Cj4gT24gMjAyMC0wNC0yOSAxNDo0NywgU3RldmUgR3J1YmIgd3JvdGU6Cj4g PiBPbiBXZWRuZXNkYXksIEFwcmlsIDI5LCAyMDIwIDEwOjMxOjQ2IEFNIEVEVCBSaWNoYXJkIEd1 eSBCcmlnZ3Mgd3JvdGU6Cj4gPiA+IE9uIDIwMjAtMDQtMjggMTg6MjUsIFBhdWwgTW9vcmUgd3Jv dGU6Cj4gPiA+ID4gT24gV2VkLCBBcHIgMjIsIDIwMjAgYXQgNTo0MCBQTSBSaWNoYXJkIEd1eSBC cmlnZ3MgPHJnYkByZWRoYXQuY29tPgo+ID4gCj4gPiB3cm90ZToKPiA+ID4gPiA+IFNvbWUgdGFi bGUgdW5yZWdpc3RlciBhY3Rpb25zIHNlZW0gdG8gYmUgaW5pdGlhdGVkIGJ5IHRoZSBrZXJuZWwg dG8KPiA+ID4gPiA+IGdhcmJhZ2UgY29sbGVjdCB1bnVzZWQgdGFibGVzIHRoYXQgYXJlIG5vdCBp bml0aWF0ZWQgYnkgYW55Cj4gPiA+ID4gPiB1c2Vyc3BhY2UKPiA+ID4gPiA+IGFjdGlvbnMuICBJ dCB3YXMgZm91bmQgdG8gYmUgbmVjZXNzYXJ5IHRvIGFkZCB0aGUgc3ViamVjdAo+ID4gPiA+ID4g Y3JlZGVudGlhbHMKPiA+ID4gPiA+IHRvICBjb3ZlciB0aGlzIGNhc2UgdG8gcmV2ZWFsIHRoZSBz b3VyY2Ugb2YgdGhlc2UgYWN0aW9ucy4gIEEKPiA+ID4gPiA+IHNhbXBsZQo+ID4gPiA+ID4gcmVj b3JkOgo+ID4gPiA+ID4gdHlwZT1ORVRGSUxURVJfQ0ZHIG1zZz1hdWRpdCgyMDIwLTAzLTExIDIx OjI1OjIxLjQ5MToyNjkpIDoKPiA+ID4gPiA+IHRhYmxlPW5hdAo+ID4gPiA+ID4gZmFtaWx5PWJy aWRnZSBlbnRyaWVzPTAgb3A9dW5yZWdpc3RlciBwaWQ9MTUzIHVpZD1yb290IGF1aWQ9dW5zZXQK PiA+ID4gPiA+IHR0eT0obm9uZSkgc2VzPXVuc2V0IHN1Ymo9c3lzdGVtX3U6c3lzdGVtX3I6a2Vy bmVsX3Q6czAKPiA+ID4gPiA+IGNvbW09a3dvcmtlci91NDoyIGV4ZT0obnVsbCk+Cj4gPiA+ID4g Cj4gPiA+ID4gW0knbSBnb2luZyB0byBjb21tZW50IHVwIGhlcmUgaW5zdGVhZCBvZiBpbiB0aGUg Y29kZSBiZWNhdXNlIGl0IGlzIGEKPiA+ID4gPiBiaXQgZWFzaWVyIGZvciBldmVyeW9uZSB0byBz ZWUgd2hhdCB0aGUgYWN0dWFsIGltcGFjdCBtaWdodCBiZSBvbiB0aGUKPiA+ID4gPiByZWNvcmRz Ll0KPiA+ID4gPiAKPiA+ID4gPiBTdGV2ZSB3YW50cyBzdWJqZWN0IGluZm8gaW4gdGhpcyBjYXNl LCBva2F5LCBidXQgbGV0J3MgdHJ5IHRvIHRyaW0KPiA+ID4gPiBvdXQKPiA+ID4gPiBzb21lIG9m IHRoZSBmaWVsZHMgd2hpY2ggc2ltcGx5IGRvbid0IG1ha2Ugc2Vuc2UgaW4gdGhpcyByZWNvcmQ7 IEknbQo+ID4gPiA+IHRoaW5raW5nIG9mIGZpZWxkcyB0aGF0IGFyZSB1bnNldC9lbXB0eSBpbiB0 aGUga2VybmVsIGNhc2UgYW5kIGFyZQo+ID4gPiA+IGR1cGxpY2F0ZXMgb2Ygb3RoZXIgcmVjb3Jk cyBpbiB0aGUgdXNlcnNwYWNlL3N5c2NhbGwgY2FzZS4gIEkgdGhpbmsKPiA+ID4gPiB0aGF0IG1l YW5zIHdlIGNhbiBkcm9wICJ0dHkiLCAic2VzIiwgImNvbW0iLCBhbmQgImV4ZSIgLi4uIHllcz8K PiA+ID4gCj4gPiA+IEZyb20gdGhlIGdoYWsyOCBkaXNjdXNzaW9uLCB0aGlzIGxpc3QgYW5kIG9y ZGVyIHdhcyBzZWxlY3RlZCBkdWUgdG8KPiA+ID4gU3RldmUncyBwcmVmZXJlbmNlIGZvciB0aGUg Imtlcm5lbCIgcmVjb3JkIGNvbnZlbnRpb24sIHNvIGRldmlhdGluZwo+ID4gPiBmcm9tIHRoaXMg d2lsbCBjcmVhdGUgeWV0IGEgbmV3IGZpZWxkIGxpc3QuICBJJ2xsIGRlZmVyIHRvIFN0ZXZlIG9u Cj4gPiA+IHRoaXMuIEl0IGFsc28gaGFzIHRvIGRvIHdpdGggdGhlIHNlYXJjaGFiaWxpdHkgb2Yg ZmllbGRzIGlmIHRoZXkgYXJlCj4gPiA+IG1pc3NpbmcuCj4gPiA+IAo+ID4gPiBJIGRvIGFncmVl IHRoYXQgc29tZSBmaWVsZHMgd2lsbCBiZSBzdXBlcmZsdW91cyBpbiB0aGUga2VybmVsIGNhc2Uu Cj4gPiA+IFRoZSBtb3N0IGltcG9ydGFudCBmaWVsZCB3b3VsZCBiZSAic3ViaiIsIGJ1dCB0aGVu ICJwaWQiIGFuZCAiY29tbSIsIEkKPiA+ID4gd291bGQgdGhpbmsuICBCYXNlZCBvbiB0aGlzIGNv bnRlbnRzIG9mIHRoZSAic3ViaiIgZmllbGQsIEknZCB0aGluawo+ID4gPiB0aGF0ICJ1aWQiLCAi YXVpZCIsICJ0dHkiLCAic2VzIiBhbmQgImV4ZSIgYXJlIG5vdCBuZWVkZWQuCj4gPiAKPiA+IFdl IGNhbid0IGJlIGFkZGluZyBkZWxldGluZyBmaWVsZHMgYmFzZWQgb24gaG93IGl0cyB0cmlnZ2Vy ZWQuIElmIHRoZXkKPiA+IGFyZSB1bnNldCwgdGhhdCBpcyBmaW5lLiBUaGUgbWFpbiBpc3N1ZSBp cyB0aGV5IGhhdmUgdG8gYmVoYXZlIHRoZSBzYW1lLgo+IAo+IEkgZG9uJ3QgdGhpbmsgdGhlIGlu dGVudCB3YXMgdG8gaGF2ZSBmaWVsZHMgc3dpbmcgaW4gYW5kIG91dCBkZXBlbmRpbmcKPiBvbiB0 cmlnZ2VyLiAgVGhlIGlkZWEgaXMgdG8gcG90ZW50aWFsbHkgcGVybWFuZW50bHkgbm90IGluY2x1 ZGUgdGhlbSBpbgo+IHRoaXMgcmVjb3JkIHR5cGUgb25seS4gIFRoZSBqdXN0aWZpY2F0aW9uIGlz IHRoYXQgd2hlcmUgdGhleSBhcmVuJ3QKPiBuZWVkZWQgZm9yIHRoZSBrZXJuZWwgdHJpZ2dlciBz aXR1YXRpb24gaXQgbWFkZSBzZW5zZSB0byBkZWxldGUgdGhlbQo+IGJlY2F1c2UgaWYgaXQgaXMg YSB1c2VyIGNvbnRleHQgZXZlbnQgaXQgd2lsbCBiZSBhY2NvbXBhbmllZCBieSBhCj4gc3lzY2Fs bCByZWNvcmQgdGhhdCBhbHJlYWR5IGhhcyB0aGF0IGluZm9ybWF0aW9uIGFuZCB0aGVyZSB3b3Vs ZCBiZSBubwo+IHNlbnNlIGluIGR1cGxpY2F0aW5nIGl0LgoKV2Ugc2hvdWxkIG5vdCBiZSBhZGRp bmcgc3lzY2FsbCByZWNvcmRzIHRvIGFueXRoaW5nIHRoYXQgZG9lcyBub3QgcmVzdWx0IGZyb20g CmEgc3lzY2FsbCBydWxlIHRyaWdnZXJpbmcgdGhlIGV2ZW50LiBJdHMgdmVyeSB3YXN0ZWZ1bC4g TW9yZSB3YXN0ZWZ1bCB0aGFuIApqdXN0IGFkZGluZyB0aGUgbmVjZXNzYXJ5IGZpZWxkcy4KCkkg YWxzbyB3aXNoZWQgd2UgaGFkIGEgY29kaW5nIHNwZWNpZmljYXRpb24gdGhhdCBwdXQgdGhpcyBp biB3cml0aW5nIHNvIHRoYXQgCmV2ZXJ5IGV2ZW50IGlzIG5vdCBhIGNvbW1pdHRlZSBkZWNpc2lv bi4gVGhhdCBhbnlvbmUgY2FuIGxvb2sgYXQgdGhlIGRvY3VtZW50IAphbmQgRG8gVGhlIFJpZ2h0 IFRoaW5nIOKEoi4KCklmIEkgYWRkIGEgc2VjdGlvbiB0byBXcml0aW5nLUdvb2QtRXZlbnRzIG91 dGxpbmluZyB0aGUgZXhwZWN0ZWQgb3JkZXJpbmcgb2YgCmZpZWxkcywgd291bGQgdGhhdCBiZSBl bm91Z2ggdGhhdCB3ZSBkbyBub3QgaGF2ZSBsb25nIGRpc2N1c3Npb25zIGFib3V0IGV2ZW50IApm b3JtYXQ/IEknbSB0aGlua2luZyB0aGlzIHdvdWxkIGFsc28gaGVscCBuZXcgcGVvcGxlIHRoYXQg d2FudCB0byBjb250cmlidXRlLgoKLVN0ZXZlCgoKCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcgbGlz dApMaW51eC1hdWRpdEByZWRoYXQuY29tCmh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1hbi9s aXN0aW5mby9saW51eC1hdWRpdA== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FC21C28CBC for ; Wed, 6 May 2020 21:26:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 49A002075A for ; Wed, 6 May 2020 21:26:43 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="JqkklJK9" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729722AbgEFV0j (ORCPT ); Wed, 6 May 2020 17:26:39 -0400 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:23118 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727995AbgEFV0i (ORCPT ); Wed, 6 May 2020 17:26:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1588800396; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=x+4JHOeVom+2+GvS+WBN7vb+d53P3ecF4mumR/1VYtA=; b=JqkklJK9KKh1Y4xqKkkcq3/4Pd53tRgeSkLhqzf7hdHxlIptnL+N8WGtDq88bNrWjXo0BL nt7bx/iNG6HJOkwFqAcF84kaRcBeqGl2U3zTRWJHH5Gp/6J2X4q5zpf2GWrXHhtD4embgr aSgWd4ZJKWh+5cewPyGTHpu3Lf5M0kM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-464-li2f7KgoOsmbIc3SCO0qoA-1; Wed, 06 May 2020 17:26:35 -0400 X-MC-Unique: li2f7KgoOsmbIc3SCO0qoA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 63725100CCC2; Wed, 6 May 2020 21:26:33 +0000 (UTC) Received: from x2.localnet (ovpn-113-240.phx2.redhat.com [10.3.113.240]) by smtp.corp.redhat.com (Postfix) with ESMTP id EE2B510013D9; Wed, 6 May 2020 21:26:26 +0000 (UTC) From: Steve Grubb To: Richard Guy Briggs Cc: Paul Moore , Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com, Eric Paris , ebiederm@xmission.com, tgraf@infradead.org Subject: Re: [PATCH ghak25 v4 3/3] audit: add subj creds to NETFILTER_CFG record to cover async unregister Date: Wed, 06 May 2020 17:26:25 -0400 Message-ID: <3250272.v6NOfJhyum@x2> Organization: Red Hat In-Reply-To: <20200429213247.6ewxqf66i2apgyuz@madcap2.tricolour.ca> References: <3348737.k9gCtgYObn@x2> <20200429213247.6ewxqf66i2apgyuz@madcap2.tricolour.ca> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org On Wednesday, April 29, 2020 5:32:47 PM EDT Richard Guy Briggs wrote: > On 2020-04-29 14:47, Steve Grubb wrote: > > On Wednesday, April 29, 2020 10:31:46 AM EDT Richard Guy Briggs wrote: > > > On 2020-04-28 18:25, Paul Moore wrote: > > > > On Wed, Apr 22, 2020 at 5:40 PM Richard Guy Briggs > >=20 > > wrote: > > > > > Some table unregister actions seem to be initiated by the kernel = to > > > > > garbage collect unused tables that are not initiated by any > > > > > userspace > > > > > actions. It was found to be necessary to add the subject > > > > > credentials > > > > > to cover this case to reveal the source of these actions. A > > > > > sample > > > > > record: > > > > > type=3DNETFILTER_CFG msg=3Daudit(2020-03-11 21:25:21.491:269) : > > > > > table=3Dnat > > > > > family=3Dbridge entries=3D0 op=3Dunregister pid=3D153 uid=3Droot = auid=3Dunset > > > > > tty=3D(none) ses=3Dunset subj=3Dsystem_u:system_r:kernel_t:s0 > > > > > comm=3Dkworker/u4:2 exe=3D(null)> > > > >=20 > > > > [I'm going to comment up here instead of in the code because it is a > > > > bit easier for everyone to see what the actual impact might be on t= he > > > > records.] > > > >=20 > > > > Steve wants subject info in this case, okay, but let's try to trim > > > > out > > > > some of the fields which simply don't make sense in this record; I'm > > > > thinking of fields that are unset/empty in the kernel case and are > > > > duplicates of other records in the userspace/syscall case. I think > > > > that means we can drop "tty", "ses", "comm", and "exe" ... yes? > > >=20 > > > From the ghak28 discussion, this list and order was selected due to > > > Steve's preference for the "kernel" record convention, so deviating > > > from this will create yet a new field list. I'll defer to Steve on > > > this. It also has to do with the searchability of fields if they are > > > missing. > > >=20 > > > I do agree that some fields will be superfluous in the kernel case. > > > The most important field would be "subj", but then "pid" and "comm", I > > > would think. Based on this contents of the "subj" field, I'd think > > > that "uid", "auid", "tty", "ses" and "exe" are not needed. > >=20 > > We can't be adding deleting fields based on how its triggered. If they > > are unset, that is fine. The main issue is they have to behave the same. >=20 > I don't think the intent was to have fields swing in and out depending > on trigger. The idea is to potentially permanently not include them in > this record type only. The justification is that where they aren't > needed for the kernel trigger situation it made sense to delete them > because if it is a user context event it will be accompanied by a > syscall record that already has that information and there would be no > sense in duplicating it. We should not be adding syscall records to anything that does not result fr= om=20 a syscall rule triggering the event. Its very wasteful. More wasteful than= =20 just adding the necessary fields. I also wished we had a coding specification that put this in writing so tha= t=20 every event is not a committee decision. That anyone can look at the docume= nt=20 and Do The Right Thing =E2=84=A2. If I add a section to Writing-Good-Events outlining the expected ordering o= f=20 fields, would that be enough that we do not have long discussions about eve= nt=20 format? I'm thinking this would also help new people that want to contribut= e. =2DSteve