More than one filesystem was causing hundreds to thousands of null PATH records to be associated with the *init_module SYSCALL records on a few modules with corresponding audit syscall rules.
This patchset adds extra information to those PATH records to provide insight into what is generating them, including a partial pathname, fstype field, and two new filetypes that indicate the pathname isn't anchored at the root of the task's root filesystem. Richard Guy Briggs (3): audit: show partial pathname for entries with anonymous parents audit: append new fstype field for anonymous PATH records audit: add new filetypes CREATE_ANON and PARENT_ANON include/linux/audit.h | 10 ++++++---- kernel/audit.c | 41 ++++++++++++++++++++++++++++++++++++++++- kernel/audit.h | 1 + kernel/auditsc.c | 12 ++++++++++-- 4 files changed, 57 insertions(+), 7 deletions(-) -- 1.8.3.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
