On 2017-02-14 13:43, Steve Grubb wrote: > On Tuesday, February 14, 2017 1:38:36 PM EST Paul Moore wrote: > > On Tue, Feb 14, 2017 at 1:11 PM, Richard Guy Briggs <r...@redhat.com> wrote: > > > On 2017-02-14 13:02, Steve Grubb wrote: > > >> On Monday, February 13, 2017 4:20:55 PM EST Paul Moore wrote: > > >> > On Sat, Feb 4, 2017 at 1:10 PM, Richard Guy Briggs <r...@redhat.com> > wrote: > > >> > > This adds a new auxiliary record MODULE_INIT to the SYSCALL event. > > >> > > > > >> > > We get finit_module for free since it made most sense to hook this in > > >> > > to > > >> > > load_module(). > > >> > > > > >> > > https://github.com/linux-audit/audit-kernel/issues/7 > > >> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-load-reco > > >> > > rd-fo > > >> > > rmat > > >> > > > >> > Correction for the record: > > >> > > > >> > * > > >> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-Record > > >> > -For > > >> > mat > > >> > > > >> > [NOTE: don't resend please, I'll fix this when merging] > > >> > > >> OK. Support was added to user space for this record. While doing this, I > > >> wondered if we also get this auxiliary record when unloading a module? > > > > > > I thought of that at the time, which influenced the design and wording. > > > It is not supported yet, but that should be easier to add. > > > > As a reminder, this is currently in audit/next and will be going up to > > Linus next week during the merge window, if you want to change this > > record in some backwards incompatible way, e.g. putting a field before > > "name", you've got until the end of this week to figure that out. > > This isn't necessary. The syscall used denotes the meaning of the action.
Yeah, that's why I moved away from "init" or "load" in the record name or format and why an "op=" field wasn't added. > -Steve - RGB -- Richard Guy Briggs <r...@redhat.com> Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635
