Is auditing ftruncate useful?

Orion Poplawski orion at nwra.com
Thu Feb 6 18:12:32 UTC 2020 

On 2/6/20 8:37 AM, Lenny Bruzenak wrote:
> On 2/5/20 4:27 PM, Orion Poplawski wrote:
> 
>> I would like to track file modifications made by a specific UID.  I have:
>>
>> -a exit,never -F dir=/proc/
>> -a exit,never -F dir=/var/cache/
>> -a exit,never -F path=/etc/passwd -F exe=/usr/bin/kdeinit4
>> -a exit,never -F exe=/usr/libexec/gam_server
>> -a always,exit -F arch=b32 -S
>> open,truncate,ftruncate,creat,openat,open_by_handle_at -F uid=XXXXX -k
>> watched_users
>> -a always,exit -F arch=b64 -S
>> open,truncate,ftruncate,creat,openat,open_by_handle_at -F uid=XXXXX -k
>> watched_users
>>
>> but as near as I can tell, this is all that gets logged for ftruncate:
>>
>>
>> type=SYSCALL msg=audit(1580944297.114:831002): arch=c000003e syscall=77
>> success=yes exit=0 a0=33 a1=28 a2=7f3417100018 a3=1 items=0 ppid=23746
>> pid=23816 auid=XXXXX uid=XXXXX gid=XXXXX euid=XXXXX suid=XXXXX fsuid=XXXXX
>> egid=XXXXX sgid=XXXXX fsgid=XXXXX tty=(none) ses=1 comm=57656220436F6E74656E74
>> exe="/usr/lib64/firefox/firefox"
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="watched_users"
>> type=PROCTITLE msg=audit(1580944297.114:831002):
>> proctitle=2F7573722F6C696236342F66697265666F782F66697265666F78002D636F6E74656E7470726F63002D6368696C6449440031002D6973466F7242726F77736572002D70726566734C656E0031002D707265664D617053697A6500313833303834002D706172656E744275696C644944003230323030313133313131393133002D
>>
>>
>> which does not appear to contain enough information to determine what file was
>> truncated.  Am I missing something?
>>
>> This is on EL7.
>>
> For starters, I'd interpret:
> 
> # ausearch -i -k watched_users
> 
> LCB
> 

Doesn't seem much better:

type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) : proctitle=/bin/bash
/usr/bin/thunderbird
type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64
syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0x7f1e41600018
a3=0xfffffe00 items=0 ppid=2451 pid=3561 auid=USER uid=USER gid=USER euid=USER
suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=1
comm=thunderbird exe=/usr/lib64/thunderbird/thunderbird
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watched_users

Why no PATH entry?  I have them for things like open:

type=PROCTITLE msg=audit(02/06/2020 10:59:05.170:120649) : proctitle=kdeinit4:
konsole [kdeinit] -session 102311da
type=PATH msg=audit(02/06/2020 10:59:05.170:120649) : item=0 name=/etc/passwd
inode=1323462 dev=08:07 mode=file,644 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL cap_fp=none cap_fi=none
cap_fe=0 cap_fver=0
type=CWD msg=audit(02/06/2020 10:59:05.170:120649) :  cwd=/home/USER
type=SYSCALL msg=audit(02/06/2020 10:59:05.170:120649) : arch=x86_64
syscall=open success=yes exit=26 a0=0x7fe1b291b552 a1=O_RDONLY|O_CLOEXEC
a2=0x1b6 a3=0x24 items=1 ppid=1 pid=3141 auid=USER uid=USER gid=USER euid=USER
suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=1
comm=konsole exe=/usr/bin/kdeinit4
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watched_users

or even with other rules for fchown:

-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod

type=PROCTITLE msg=audit(02/06/2020 10:59:30.562:59894) : proctitle=kwin
-session 106f726361000123384967700000029380000_1548775895_794186
type=PATH msg=audit(02/06/2020 10:59:30.562:59894) : item=0 name=(null)
inode=595335 dev=fd:01 mode=file,600 ouid=USER ogid=USER rdev=00:00
obj=unconfined_u:object_r:config_home_t:s0 objtype=NORMAL cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0
type=SYSCALL msg=audit(02/06/2020 10:59:30.562:59894) : arch=x86_64
syscall=fchown success=yes exit=0 a0=0xd a1=0x584b a2=0x584b a3=0xc items=1
ppid=27089 pid=27152 auid=USER uid=USER gid=USER euid=USER suid=USER
fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=16 comm=kwin
exe=/usr/bin/kwin subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=perm_mod

There I only get an inode entry which I'll have to interpret - but that seems
expected for syscalls that operate on file handles.

Thanks.

-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20200206/01822465/attachment.p7s>

More information about the Linux-audit mailing list