Is auditing ftruncate useful?
Orion Poplawski
orion at nwra.com
Fri Feb 7 23:17:31 UTC 2020
On 2/7/20 2:56 PM, Paul Moore wrote:
>
> On February 7, 2020 2:18:33 PM Steve Grubb <sgrubb at redhat.com> wrote:
>> On Thursday, February 6, 2020 1:33:19 PM EST Lenny Bruzenak wrote:
>>>> Doesn't seem much better:
>>>>
>>>> type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) :
>>>> proctitle=/bin/bash /usr/bin/thunderbird
>>>> type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64
>>>> syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0x7f1e41600018
>>>> a3=0xfffffe00 items=0 ppid=2451 pid=3561 auid=USER uid=USER gid=USER
>>>> euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none)
>>>> ses=1 comm=thunderbird exe=/usr/lib64/thunderbird/thunderbird
>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>> key=watched_users
>>>> Why no PATH entry? I have them for things like open:
>>>
>>> The kernel guys can probably answer this accurately.
>>
>> I would have thought that they would have chimed in by now. Since they didn't
>> you might want to file an issue on github. I think you found a problem that
>> someone should look into some day.
>
> One of them (me) is on vacation, and only dealing with emergencies as they arise - this isn't one of those. I'm not sure what Richard is doing, but you'll get an answer when I'm back in "the office" if Richard doesn't comment first.
>
> That said, it's always okay to file a GH issue.
>
> --
> paul moore
> www.paul-moore.com
Thanks, filed here:
https://github.com/linux-audit/audit-kernel/issues/119
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20200207/548d873b/attachment.p7s>
More information about the Linux-audit
mailing list