On Mon, 2014-04-07 at 12:50 -0400, Steve Grubb wrote: > On Monday, April 07, 2014 12:37:48 PM Eric Paris wrote: > > On Fri, 2014-04-04 at 08:43 -0400, Steve Grubb wrote: > > > Hello, > > > > > > In checking a system with newish kernel, 3.13.7, I noticed that sometimes > > > finit_module is producing PATH records. Why? > > > > Because the module created all of those files while it was loading... > > Hmm...I don't think what we are getting is expected or useful. It would be > nice to know what the paths are instead of NULL.
Is every single record NULL? I felt like it once upon a time had some information.... Usually these are files in debugfs and sysfs being created by the module load. > It would also be highly > desirable to get some basic information recorded about what module is getting > loaded in an aux record. Might be do-able to get something from the module header... with finit_module (as opposed to init_module) we probably can get something about the file descriptor... > Especially since loading modules are how system tap > and some of the kernel bug patching tools get loaded. Not sure how reliable/useful these fields are, but we can possibly get something... -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
