syscall - "comm" field truncated
Richard Guy Briggs
rgb at redhat.com
Wed Apr 6 15:21:43 UTC 2016
On 16/04/06, Paul Moore wrote:
> On Wed, Apr 6, 2016 at 9:53 AM, Lev Stipakov <lstipakov at gmail.com> wrote:
> > Hello,
> >
> > Sometimes audit of "execve" syscall generates events with truncated "comm"
> > values, for example:
> >
> > type=SYSCALL msg=audit(1459950426.152:1097081): arch=c000003e syscall=59
> > success=yes exit=0 a0=35bae3e a1=1bc0cf0 a2=2b09280 a3=58c items=2 ppid=2183
> > pid=26566 auid=4294967295 uid=1001 gid=1001 euid=1001
> > suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none)
> > ses=4294967295 comm="gnome-calculato" exe="/usr/bin/gnome-calculator"
> >
> > Why "comm" is "gnome-calculato" and not "/usr/bin/gnome-calculator" ?
>
> This is due to a limitation in how the kernel records the comm field
> and isn't likely to change.
It is set in the kernel, in file include/linux/sched.h,
struct task_struct, member comm, with length TASK_COMM_LEN which is 16.
Changing it would break all kinds of stuff, so as was mentioned,
PROCTITLE is used to get the kind of information you seek.
> paul moore
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list