Is auditing ftruncate useful?
Lenny Bruzenak
lenny at magitekltd.com
Thu Feb 6 18:33:19 UTC 2020
On 2/6/20 11:12 AM, Orion Poplawski wrote:
> Doesn't seem much better:
>
> type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) : proctitle=/bin/bash
> /usr/bin/thunderbird
> type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64
> syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0x7f1e41600018
> a3=0xfffffe00 items=0 ppid=2451 pid=3561 auid=USER uid=USER gid=USER euid=USER
> suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=1
> comm=thunderbird exe=/usr/lib64/thunderbird/thunderbird
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watched_users
>
> Why no PATH entry? I have them for things like open:
The kernel guys can probably answer this accurately.
My guess is that because with open, the path must be validated, but
ftruncate works on a file descriptor; maybe gets no path validation.
LCB
--
LC Bruzenak
MagitekLTD
More information about the Linux-audit
mailing list