From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: finit_module Date: Mon, 07 Apr 2014 14:29:40 -0400 Message-ID: <1396895380.23819.7.camel@flatline.rdu.redhat.com> References: <2949295.7qgFVbk0cj@x2> <1396888668.23819.0.camel@flatline.rdu.redhat.com> <2054283.lFVyHHJsdG@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <2054283.lFVyHHJsdG@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Mon, 2014-04-07 at 12:50 -0400, Steve Grubb wrote: > On Monday, April 07, 2014 12:37:48 PM Eric Paris wrote: > > On Fri, 2014-04-04 at 08:43 -0400, Steve Grubb wrote: > > > Hello, > > > > > > In checking a system with newish kernel, 3.13.7, I noticed that sometimes > > > finit_module is producing PATH records. Why? > > > > Because the module created all of those files while it was loading... > > Hmm...I don't think what we are getting is expected or useful. It would be > nice to know what the paths are instead of NULL. Is every single record NULL? I felt like it once upon a time had some information.... Usually these are files in debugfs and sysfs being created by the module load. > It would also be highly > desirable to get some basic information recorded about what module is getting > loaded in an aux record. Might be do-able to get something from the module header... with finit_module (as opposed to init_module) we probably can get something about the file descriptor... > Especially since loading modules are how system tap > and some of the kernel bug patching tools get loaded. Not sure how reliable/useful these fields are, but we can possibly get something...