Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754798AbdCINZA (ORCPT ); Thu, 9 Mar 2017 08:25:00 -0500 Received: from mx1.redhat.com ([209.132.183.28]:59106 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754315AbdCINY6 (ORCPT ); Thu, 9 Mar 2017 08:24:58 -0500 From: Steve Grubb To: Richard Guy Briggs Cc: Greg Kroah-Hartman , LKML , Steven Rostedt , Linux-Audit Mailing List , Al Viro , Ingo Molnar , Jessica Yu Subject: Re: Hundreds of null PATH records for *init_module syscall audit logs Date: Thu, 09 Mar 2017 08:24:05 -0500 Message-ID: <1528289.CZOIOPGIO4@x2> Organization: Red Hat In-Reply-To: <20170303211454.GK3818@madcap2.tricolour.ca> References: <20170301031549.GT18258@madcap2.tricolour.ca> <2137861.7RBAWtfTXJ@x2> <20170303211454.GK3818@madcap2.tricolour.ca> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 09 Mar 2017 13:24:08 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1009 Lines: 24 On Friday, March 3, 2017 4:14:54 PM EST Richard Guy Briggs wrote: > > > > 1 - In __audit_inode_child, return immedialy upon detecting TRACEFS > > > > and > > > > > > > > DEBUGFS (and potentially other filesystems identified, via s_magic). > > > > XFS creates them too. Who knows what else. > > Why would this happen? I would assume it is a mounted filesystem. Do > you have a sample of the extra records? I can't find them right away. But I've seen them. > This brings me back to the original reaction I had to your suggestion > which is: Are you certain there is never a circumstance where *_module > syscalls never involve a file? Say, the module itself on loading pulls > in other files from the mounted filesystem? We don't care about this. Audit events have to tell a story. They must have a subject, action, and object. In this case its "somebody loaded a kernel module X". Where X is the module name. Paths are irrelevant to the story and just make it hard to understand the event. -Steve