Is auditing ftruncate useful?
Steve Grubb
sgrubb at redhat.com
Fri Feb 7 19:17:17 UTC 2020
On Thursday, February 6, 2020 1:33:19 PM EST Lenny Bruzenak wrote:
> > Doesn't seem much better:
> >
> > type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) :
> > proctitle=/bin/bash /usr/bin/thunderbird
> > type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64
> > syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0x7f1e41600018
> > a3=0xfffffe00 items=0 ppid=2451 pid=3561 auid=USER uid=USER gid=USER
> > euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none)
> > ses=1 comm=thunderbird exe=/usr/lib64/thunderbird/thunderbird
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=watched_users
> > Why no PATH entry? I have them for things like open:
>
> The kernel guys can probably answer this accurately.
I would have thought that they would have chimed in by now. Since they didn't
you might want to file an issue on github. I think you found a problem that
someone should look into some day.
https://github.com/linux-audit/audit-kernel/issues
-Steve
More information about the Linux-audit
mailing list