[PATCH ghak8 ALT4 V4 0/3] audit: show more information for entries with anonymous parents

From: Richard Guy Briggs
Date: Mon Feb 12 2018 - 00:07:05 EST


More than one filesystem was causing hundreds to thousands of null PATH
records to be associated with the *init_module SYSCALL records on a few
modules with corresponding audit syscall rules.

This patchset adds extra information to those PATH records to provide
insight into what is generating them, including a partial pathname,
fstype field, and two new filetypes that indicate the pathname isn't
anchored at the root of the task's root filesystem.

Richard Guy Briggs (3):
audit: show partial pathname for entries with anonymous parents
audit: append new fstype field for anonymous PATH records
audit: add new filetypes CREATE_ANON and PARENT_ANON

include/linux/audit.h | 10 ++++++----
kernel/audit.c | 41 ++++++++++++++++++++++++++++++++++++++++-
kernel/audit.h | 1 +
kernel/auditsc.c | 12 ++++++++++--
4 files changed, 57 insertions(+), 7 deletions(-)

--
1.8.3.1