Is auditing ftruncate useful?
Paul Moore
paul at paul-moore.com
Fri Feb 7 21:56:04 UTC 2020
On February 7, 2020 2:18:33 PM Steve Grubb <sgrubb at redhat.com> wrote:
> On Thursday, February 6, 2020 1:33:19 PM EST Lenny Bruzenak wrote:
>>> Doesn't seem much better:
>>>
>>> type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) :
>>> proctitle=/bin/bash /usr/bin/thunderbird
>>> type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64
>>> syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0x7f1e41600018
>>> a3=0xfffffe00 items=0 ppid=2451 pid=3561 auid=USER uid=USER gid=USER
>>> euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none)
>>> ses=1 comm=thunderbird exe=/usr/lib64/thunderbird/thunderbird
>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> key=watched_users
>>> Why no PATH entry? I have them for things like open:
>>
>> The kernel guys can probably answer this accurately.
>
> I would have thought that they would have chimed in by now. Since they didn't
> you might want to file an issue on github. I think you found a problem that
> someone should look into some day.
One of them (me) is on vacation, and only dealing with emergencies as they arise - this isn't one of those. I'm not sure what Richard is doing, but you'll get an answer when I'm back in "the office" if Richard doesn't comment first.
That said, it's always okay to file a GH issue.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list