From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: finit_module
Date: Mon, 07 Apr 2014 12:50:04 -0400
Message-ID: <2054283.lFVyHHJsdG@x2>
References: <2949295.7qgFVbk0cj@x2>
	<1396888668.23819.0.camel@flatline.rdu.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1396888668.23819.0.camel@flatline.rdu.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, April 07, 2014 12:37:48 PM Eric Paris wrote:
> On Fri, 2014-04-04 at 08:43 -0400, Steve Grubb wrote:
> > Hello,
> > 
> > In checking a system with newish kernel, 3.13.7, I noticed that sometimes
> > finit_module is producing PATH records. Why?
> 
> Because the module created all of those files while it was loading...

Hmm...I don't think what we are getting is expected or useful. It would be 
nice to know what the paths are instead of NULL. It would also be highly 
desirable to get some basic information recorded about what module is getting 
loaded in an aux record. Especially since loading modules are how system tap 
and some of the kernel bug patching tools get loaded.

-Steve