From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E9E8C433E0 for ; Thu, 18 Mar 2021 20:02:02 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E20FC64EB6 for ; Thu, 18 Mar 2021 20:02:01 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E20FC64EB6 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1616097720; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=JMP+u1yqzyYE27AB7VBMrY0bYDna0xpqlB3dmi0sqok=; b=Ah4kSaIM+IG/6Y+7bJvX9Q71V+dWi8NwKoOmzRt1oEJkh6g7RI3H0pj3TezhFIqaV0EXUW ignaeJ6/wgjSExlJq0xUalbuclVkbchRg0gklU11cCXXs0+Paj8obCjE91hZ7H0JNcZ2WO aIQYS5MlTECFv/BaRKy6T2SAIiAgc5o= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-465-2mU_bsBfMDyN79Vo8nApEw-1; Thu, 18 Mar 2021 16:01:55 -0400 X-MC-Unique: 2mU_bsBfMDyN79Vo8nApEw-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5C9E0190B2A8; Thu, 18 Mar 2021 20:01:51 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EF3A260C13; Thu, 18 Mar 2021 20:01:50 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 387741809C83; Thu, 18 Mar 2021 20:01:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 12IK1mr2029611 for ; Thu, 18 Mar 2021 16:01:48 -0400 Received: by smtp.corp.redhat.com (Postfix) id DF4592026D6A; Thu, 18 Mar 2021 20:01:47 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DA6502026D64 for ; Thu, 18 Mar 2021 20:01:45 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 81215100DE77 for ; Thu, 18 Mar 2021 20:01:45 +0000 (UTC) Received: from mail-yb1-f200.google.com (mail-yb1-f200.google.com [209.85.219.200]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-423-LsdLFFL7OJS2BE2I3ztvyA-1; Thu, 18 Mar 2021 16:01:43 -0400 X-MC-Unique: LsdLFFL7OJS2BE2I3ztvyA-1 Received: by mail-yb1-f200.google.com with SMTP id o9so49398219yba.18 for ; Thu, 18 Mar 2021 13:01:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=RCpZy+hE1EmzsWrsS67jHZdBAtmGWgrq+hUMojEyIPI=; b=AjvSLImBcyV0MwzhETk2yaQ6nOJ3vGemCe39/H9MRNLeLxegAPpJ4uDnHayh+O5scQ uCCoUutbGMemd1cIoQ/NqqMcvnji9173/a6mIZzUwC6U0WkkS9jNoHcOP0vHXB2JC250 1jyaexxR80To+3ZHfh2xYFnZaEmIy7O1bb79P4OuhM4OOLBst10rXsTkALVQK1P1h0zk wVCX1SVfMsT3shv07LBrY8ZUmaxAvrrygxudUOfZ0P9z6sX00Yx+aK5BvoD0NTy8sKPe 9+Yens6GbFM4WPvHNbtT/f16HjmOIXcNRdoSpq7wxoKkjqmtd70qwooPy0t6uVgcatST dAnA== X-Gm-Message-State: AOAM530hjG3IjxC/Ux3FsqDYTa1m6oH87GXPWtRhSeVY4hukJjkNUQz1 S5BThHsRwcq9XfYjQrwpVuyUSixq1uO3ZT9nwGSeXOCCC129c7vUVfajANpSzU2zEvXr/Ey/Pfk kNG1GMCiLOccBeTZALIlNgIaOldUb0Qaf9y8= X-Received: by 2002:a25:904:: with SMTP id 4mr1479732ybj.293.1616097702872; Thu, 18 Mar 2021 13:01:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzAOi8KAvBSABmyU2HzNT+abtp4kW2YFf6nfN6b0SURDipKV8grNltiR5iVLSK774Xi7G4b4f8dgSQeM6mkjxE= X-Received: by 2002:a25:904:: with SMTP id 4mr1479704ybj.293.1616097702680; Thu, 18 Mar 2021 13:01:42 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ondrej Mosnacek Date: Thu, 18 Mar 2021 21:01:30 +0100 Message-ID: Subject: Re: Additional parameter in PROCTITLE.proctitle when executing rm To: Alan Evangelista X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 12IK1mr2029611 X-loop: linux-audit@redhat.com Cc: Linux-Audit Mailing List X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Thu, Mar 18, 2021 at 8:32 PM Alan Evangelista wrote: > I'm trying to audit commands run in bash, including the commands arguments. The proctitle parameter in the PROCTITLE record seems to be the most reliable source to get that, but it does not contain exactly the "rm" command I have typed on bash. Example: > > 1) rm /data/test2,txt -f > > type=SYSCALL msg=audit(1616095201.302:40381): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=1b1f0c0 a2=0 a3=7fff3677a720 items=3 ppid=15954 pid=3398 auid=201327714 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2663 comm="rm" exe="/usr/bin/rm" key="filesystem_op" > type=CWD msg=audit(1616095201.302:40381): cwd="/home/aevangelista" > type=PATH msg=audit(1616095201.302:40381): item=0 name="/data/test2.txt" inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 > type=PATH msg=audit(1616095201.302:40381): item=1 name="/data/" inode=64 dev=08:11 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 > type=PATH msg=audit(1616095201.302:40381): item=2 name="/data/test2.txt" inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 > type=PROCTITLE msg=audit(1616095201.302:40381): proctitle=726D002D69002F646174612F74657374322E747874002D66 > > The proctitle value 726D002D69002F646174612F74657374322E747874002D66 is equal to "rm-i /data/test2.txt -f" in ASCII. Where did this -i come from? Is it expected? Perhaps a shell alias? What does `type rm` say? -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc. -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit