Is auditing ftruncate useful?
Lenny Bruzenak
lenny at magitekltd.com
Thu Feb 6 15:37:14 UTC 2020
On 2/5/20 4:27 PM, Orion Poplawski wrote:
> I would like to track file modifications made by a specific UID. I have:
>
> -a exit,never -F dir=/proc/
> -a exit,never -F dir=/var/cache/
> -a exit,never -F path=/etc/passwd -F exe=/usr/bin/kdeinit4
> -a exit,never -F exe=/usr/libexec/gam_server
> -a always,exit -F arch=b32 -S
> open,truncate,ftruncate,creat,openat,open_by_handle_at -F uid=XXXXX -k
> watched_users
> -a always,exit -F arch=b64 -S
> open,truncate,ftruncate,creat,openat,open_by_handle_at -F uid=XXXXX -k
> watched_users
>
> but as near as I can tell, this is all that gets logged for ftruncate:
>
>
> type=SYSCALL msg=audit(1580944297.114:831002): arch=c000003e syscall=77
> success=yes exit=0 a0=33 a1=28 a2=7f3417100018 a3=1 items=0 ppid=23746
> pid=23816 auid=XXXXX uid=XXXXX gid=XXXXX euid=XXXXX suid=XXXXX fsuid=XXXXX
> egid=XXXXX sgid=XXXXX fsgid=XXXXX tty=(none) ses=1 comm=57656220436F6E74656E74
> exe="/usr/lib64/firefox/firefox"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="watched_users"
> type=PROCTITLE msg=audit(1580944297.114:831002):
> proctitle=2F7573722F6C696236342F66697265666F782F66697265666F78002D636F6E74656E7470726F63002D6368696C6449440031002D6973466F7242726F77736572002D70726566734C656E0031002D707265664D617053697A6500313833303834002D706172656E744275696C644944003230323030313133313131393133002D
>
> which does not appear to contain enough information to determine what file was
> truncated. Am I missing something?
>
> This is on EL7.
>
For starters, I'd interpret:
# ausearch -i -k watched_users
LCB
--
LC Bruzenak
MagitekLTD
More information about the Linux-audit
mailing list