All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Is auditing ftruncate useful?
Date: Fri, 07 Feb 2020 14:17:17 -0500	[thread overview]
Message-ID: <1758232.KkKbY19U6n@x2> (raw)
In-Reply-To: <57c2b1a1-5406-4d77-9dc5-ad6c99b987a8@magitekltd.com>

On Thursday, February 6, 2020 1:33:19 PM EST Lenny Bruzenak wrote:
> > Doesn't seem much better:
> > 
> > type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) :
> > proctitle=/bin/bash /usr/bin/thunderbird
> > type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64
> > syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0x7f1e41600018
> > a3=0xfffffe00 items=0 ppid=2451 pid=3561 auid=USER uid=USER gid=USER
> > euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none)
> > ses=1 comm=thunderbird exe=/usr/lib64/thunderbird/thunderbird
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=watched_users
> > Why no PATH entry?  I have them for things like open:
>
> The kernel guys can probably answer this accurately.

I would have thought that they would have chimed in by now. Since they didn't 
you might want to file an issue on github. I think you found a problem that 
someone should look into some day.

https://github.com/linux-audit/audit-kernel/issues

-Steve

  parent reply	other threads:[~2020-02-07 19:17 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-05 23:27 Is auditing ftruncate useful? Orion Poplawski
2020-02-06 15:37 ` Lenny Bruzenak
2020-02-06 18:12   ` Orion Poplawski
2020-02-06 18:33     ` Lenny Bruzenak
2020-02-06 19:39       ` Lenny Bruzenak
2020-02-07 19:17       ` Steve Grubb [this message]
2020-02-07 21:56         ` Paul Moore
2020-02-07 23:17           ` Orion Poplawski
2020-02-10 22:54           ` Paul Moore
2020-02-10 23:05             ` Orion Poplawski
2020-02-10 23:29               ` Casey Schaufler
2020-03-06 16:59                 ` Steve Grubb
2020-02-11 12:58               ` Paul Moore
2020-02-12 21:00                 ` Orion Poplawski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1758232.KkKbY19U6n@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.