audit-kernel icon indicating copy to clipboard operation
audit-kernel copied to clipboard
verified publisher icon linux-audit

RFE: fsconfig missing info

Open stevegrubb opened this issue 2 years ago • 0 comments

fsconfig looks like this when captured by strace:

fsconfig(3, FSCONFIG_SET_STRING, "source", "/dev/ram0", 0)

The audit event looks like this: syscall=fsconfig success=yes exit=0 a0=0x3 a1=0x1 a2=0x7fba578b5fed a3=0x56519590dac0

with nothing but a syscall & proctitle record. We need to capture the device being mounted at a minimum. The new util-linux 2.39.1 is no longer using the mount command but rather uses fsopen, fsconfig, fsmount, move_mount to mount devices. So, it's important to get this information since it's the new standard.

stevegrubb avatar Sep 24 '23 21:09 stevegrubb