Is auditing ftruncate useful?

[Orion Poplawski]

I would like to track file modifications made by a specific UID.  I have:

-a exit,never -F dir=/proc/
-a exit,never -F dir=/var/cache/
-a exit,never -F path=/etc/passwd -F exe=/usr/bin/kdeinit4
-a exit,never -F exe=/usr/libexec/gam_server
-a always,exit -F arch=b32 -S
open,truncate,ftruncate,creat,openat,open_by_handle_at -F uid=XXXXX -k
watched_users
-a always,exit -F arch=b64 -S
open,truncate,ftruncate,creat,openat,open_by_handle_at -F uid=XXXXX -k
watched_users

but as near as I can tell, this is all that gets logged for ftruncate:


type=SYSCALL msg=audit(1580944297.114:831002): arch=c000003e syscall=77
success=yes exit=0 a0=33 a1=28 a2=7f3417100018 a3=1 items=0 ppid=23746
pid=23816 auid=XXXXX uid=XXXXX gid=XXXXX euid=XXXXX suid=XXXXX fsuid=XXXXX
egid=XXXXX sgid=XXXXX fsgid=XXXXX tty=(none) ses=1 comm=57656220436F6E74656E74
exe="/usr/lib64/firefox/firefox"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="watched_users"
type=PROCTITLE msg=audit(1580944297.114:831002):
proctitle=2F7573722F6C696236342F66697265666F782F66697265666F78002D636F6E74656E7470726F63002D6368696C6449440031002D6973466F7242726F77736572002D70726566734C656E0031002D707265664D617053697A6500313833303834002D706172656E744275696C644944003230323030313133313131393133002D

which does not appear to contain enough information to determine what file was
truncated.  Am I missing something?

This is on EL7.

Thanks!

-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20200205/7f7c79a8/attachment.p7s>