syscall - "comm" field truncated
Paul Moore
paul at paul-moore.com
Wed Apr 6 14:05:35 UTC 2016
On Wed, Apr 6, 2016 at 9:53 AM, Lev Stipakov <lstipakov at gmail.com> wrote:
> Hello,
>
> Sometimes audit of "execve" syscall generates events with truncated "comm"
> values, for example:
>
> type=SYSCALL msg=audit(1459950426.152:1097081): arch=c000003e syscall=59
> success=yes exit=0 a0=35bae3e a1=1bc0cf0 a2=2b09280 a3=58c items=2 ppid=2183
> pid=26566 auid=4294967295 uid=1001 gid=1001 euid=1001
> suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none)
> ses=4294967295 comm="gnome-calculato" exe="/usr/bin/gnome-calculator"
>
> Why "comm" is "gnome-calculato" and not "/usr/bin/gnome-calculator" ?
This is due to a limitation in how the kernel records the comm field
and isn't likely to change.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list