On Nov 22, 2024 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= [off-list ref] wrote:

It may be useful to synchronize with the audit's timestamp e.g., to
identify asynchronous events as being created with a previous audit
record (see next commit).

auditsc_get_stamp() does more than just getting a timestamp, so add a
new helper instead of exposing it and risking side effects.

It should be noted that we cannot reliably expose event's serial numbers
because there may not be any related event, which would then create
holes in the sequence of serial numbers.

Cc: Eric Paris <eparis@redhat.com>
Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20241122143353.59367-10-mic@digikod.net (local)
---
Changes since v2:
- New patch.
---
 include/linux/audit.h |  8 ++++++++
 kernel/auditsc.c      | 21 ++++++++++++++++++---
 2 files changed, 26 insertions(+), 3 deletions(-)

I need to see where you actually use this, but I'm not sure I want to
expost the audit timestamp outside of the audit subsystem.

Okay, I found at least one user in patch 10/23, and no, that's not
something I think we want to support with audit.  More about this in
patch 10/23.

--
paul-moore.com