pcmoore
commented
6 years ago This would be a break with the current kernel generated records and isn't something we are going to change anytime soon.
Closed stevegrubb closed 6 years ago
pcmoore
commented
6 years ago This would be a break with the current kernel generated records and isn't something we are going to change anytime soon.
pcmoore
commented
6 years ago It has been a couple of months with no further comments, so considering my statement above, I'm closing this out as a WONTFIX.
stevegrubb
commented
6 years ago Why is this being closed? The record violates our standards and needs to be fixed. Its a simple 1 line patch and would fix an unnecessary problem.
pcmoore
commented
6 years ago @stevegrubb you know why this is being closed, Richard and I have already talked to you about this. Richard proposed the patches that added this information, documented it in the wiki[1], provided tests for the audit-testsuite, and generally did everything that could be reasonably asked to ensure that the changes were acceptable. I agree that it is unfortunate that you are unhappy with the results, but you had plenty of chances to raise an objection. With very few exceptions, we don't change things once the kernel has been released by Linus, so the "name" field is going to stand for the foreseeable future.
[1] https://github.com/linux-audit/audit-kernel/wiki/RFE-Module-Load-and-Unload-Record-Format
The AUDIT_KERN_MODULE record uses a "name" field which is always a full path name to a file. I think "module" or "mod-name" would be more appropriate.