On 2/6/20 8:37 AM, Lenny Bruzenak wrote: > On 2/5/20 4:27 PM, Orion Poplawski wrote: > >> I would like to track file modifications made by a specific UID.  I have: >> >> -a exit,never -F dir=/proc/ >> -a exit,never -F dir=/var/cache/ >> -a exit,never -F path=/etc/passwd -F exe=/usr/bin/kdeinit4 >> -a exit,never -F exe=/usr/libexec/gam_server >> -a always,exit -F arch=b32 -S >> open,truncate,ftruncate,creat,openat,open_by_handle_at -F uid=XXXXX -k >> watched_users >> -a always,exit -F arch=b64 -S >> open,truncate,ftruncate,creat,openat,open_by_handle_at -F uid=XXXXX -k >> watched_users >> >> but as near as I can tell, this is all that gets logged for ftruncate: >> >> >> type=SYSCALL msg=audit(1580944297.114:831002): arch=c000003e syscall=77 >> success=yes exit=0 a0=33 a1=28 a2=7f3417100018 a3=1 items=0 ppid=23746 >> pid=23816 auid=XXXXX uid=XXXXX gid=XXXXX euid=XXXXX suid=XXXXX fsuid=XXXXX >> egid=XXXXX sgid=XXXXX fsgid=XXXXX tty=(none) ses=1 comm=57656220436F6E74656E74 >> exe="/usr/lib64/firefox/firefox" >> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="watched_users" >> type=PROCTITLE msg=audit(1580944297.114:831002): >> proctitle=2F7573722F6C696236342F66697265666F782F66697265666F78002D636F6E74656E7470726F63002D6368696C6449440031002D6973466F7242726F77736572002D70726566734C656E0031002D707265664D617053697A6500313833303834002D706172656E744275696C644944003230323030313133313131393133002D >> >> >> which does not appear to contain enough information to determine what file was >> truncated.  Am I missing something? >> >> This is on EL7. >> > For starters, I'd interpret: > > # ausearch -i -k watched_users > > LCB > Doesn't seem much better: type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) : proctitle=/bin/bash /usr/bin/thunderbird type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64 syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0x7f1e41600018 a3=0xfffffe00 items=0 ppid=2451 pid=3561 auid=USER uid=USER gid=USER euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=1 comm=thunderbird exe=/usr/lib64/thunderbird/thunderbird subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watched_users Why no PATH entry? I have them for things like open: type=PROCTITLE msg=audit(02/06/2020 10:59:05.170:120649) : proctitle=kdeinit4: konsole [kdeinit] -session 102311da type=PATH msg=audit(02/06/2020 10:59:05.170:120649) : item=0 name=/etc/passwd inode=1323462 dev=08:07 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(02/06/2020 10:59:05.170:120649) : cwd=/home/USER type=SYSCALL msg=audit(02/06/2020 10:59:05.170:120649) : arch=x86_64 syscall=open success=yes exit=26 a0=0x7fe1b291b552 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=1 ppid=1 pid=3141 auid=USER uid=USER gid=USER euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=1 comm=konsole exe=/usr/bin/kdeinit4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=watched_users or even with other rules for fchown: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod type=PROCTITLE msg=audit(02/06/2020 10:59:30.562:59894) : proctitle=kwin -session 106f726361000123384967700000029380000_1548775895_794186 type=PATH msg=audit(02/06/2020 10:59:30.562:59894) : item=0 name=(null) inode=595335 dev=fd:01 mode=file,600 ouid=USER ogid=USER rdev=00:00 obj=unconfined_u:object_r:config_home_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=SYSCALL msg=audit(02/06/2020 10:59:30.562:59894) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0xd a1=0x584b a2=0x584b a3=0xc items=1 ppid=27089 pid=27152 auid=USER uid=USER gid=USER euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=16 comm=kwin exe=/usr/bin/kwin subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=perm_mod There I only get an inode entry which I'll have to interpret - but that seems expected for syscalls that operate on file handles. Thanks. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/