The fsopen syscall looks like this in strace: fsopen("ramfs", FSOPEN_CLOEXEC)
what is recorded by audit is: syscall=fsopen success=yes exit=3 a0=0x56519590daa0 a1=0x1
We are missing the file system being opened.
The new util-linux 2.39.1 is no longer using the mount command but rather uses fsopen, fsconfig, fsmount, move_mount to mount devices. So, it's important to get this information since it's the new standard.
The fsopen syscall looks like this in strace: fsopen("ramfs", FSOPEN_CLOEXEC) what is recorded by audit is: syscall=fsopen success=yes exit=3 a0=0x56519590daa0 a1=0x1 We are missing the file system being opened.
The new util-linux 2.39.1 is no longer using the mount command but rather uses fsopen, fsconfig, fsmount, move_mount to mount devices. So, it's important to get this information since it's the new standard.