The audit event looks like this:
syscall=fsconfig success=yes exit=0 a0=0x3 a1=0x1 a2=0x7fba578b5fed a3=0x56519590dac0
with nothing but a syscall & proctitle record. We need to capture the device being mounted at a minimum. The new util-linux 2.39.1 is no longer using the mount command but rather uses fsopen, fsconfig, fsmount, move_mount to mount devices. So, it's important to get this information since it's the new standard.
fsconfig looks like this when captured by strace:
fsconfig(3, FSCONFIG_SET_STRING, "source", "/dev/ram0", 0)
The audit event looks like this: syscall=fsconfig success=yes exit=0 a0=0x3 a1=0x1 a2=0x7fba578b5fed a3=0x56519590dac0
with nothing but a syscall & proctitle record. We need to capture the device being mounted at a minimum. The new util-linux 2.39.1 is no longer using the mount command but rather uses fsopen, fsconfig, fsmount, move_mount to mount devices. So, it's important to get this information since it's the new standard.