From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: multipart messages & delivery guarantees
Date: Mon, 23 Feb 2015 13:48:49 -0500
Message-ID: <20150223134849.60cd7dc1@ivy-bridge>
References: <op.xuhpzho21jp0b1@win8mac>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <op.xuhpzho21jp0b1@win8mac>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Hassan Sultan <hsultan@thefroid.net>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Sun, 22 Feb 2015 19:15:07 -0800
"Hassan Sultan" <hsultan@thefroid.net> wrote:
> Some events, such as execve or socket-related syscalls generate more
> than one message, which I'll separate as the "main" message, and then
> the 'sub' messages.
> 
> Does the audit system guarantee in any way that user-mode will
> receive either no message, or all messages for a given event ?

If a syscall cannot be audited, the syscall has to fail.

 
> I'm curious to know if for example I could get an execve syscall
> message, but no cwd message, for example in case of low-memory
> condition.

I suppose it depends on where in the processing an error occurs. Some
failure modes if selected cause a system panic. You'll probably want to
look through the kernel source code to be sure.

-Steve