From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: ** X-Spam-Status: No, score=2.3 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, HTML_MESSAGE,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6105AC433E0 for ; Thu, 18 Mar 2021 19:32:18 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BB03964ECF for ; Thu, 18 Mar 2021 19:32:17 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BB03964ECF Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-448-CkgEdyeNMBe84uDPH8gWxA-1; Thu, 18 Mar 2021 15:32:13 -0400 X-MC-Unique: CkgEdyeNMBe84uDPH8gWxA-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 975A38018A9; Thu, 18 Mar 2021 19:32:10 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 546551A839; Thu, 18 Mar 2021 19:32:10 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id DCA414BB7C; Thu, 18 Mar 2021 19:32:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 12IJW7jv025048 for ; Thu, 18 Mar 2021 15:32:07 -0400 Received: by smtp.corp.redhat.com (Postfix) id A786D103F26F; Thu, 18 Mar 2021 19:32:07 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A3862103F26A for ; Thu, 18 Mar 2021 19:32:04 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id AF762185A7B4 for ; Thu, 18 Mar 2021 19:32:04 +0000 (UTC) Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-172-BxSgjlkgNQmXENbQ0YYBmQ-1; Thu, 18 Mar 2021 15:32:01 -0400 X-MC-Unique: BxSgjlkgNQmXENbQ0YYBmQ-1 Received: by mail-ed1-f41.google.com with SMTP id x21so8113638eds.4 for ; Thu, 18 Mar 2021 12:32:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ldIb2bTRIndirUxFvZWr1Jx15MU6WDrwHKtqeUlAsAg=; b=uOgTMxSgmmPC0xdQyzzYSnXTHIHmYjKB4B/WlJW5LxfeiEp8Lsc8dxkNNS2MOqY+kW pSZ9wo6yXZ+TEFPYOs+LMKG4nlVHirxGLJalq2ifUOcxQi05imRq8fnYtNX+KTug8nUQ oRrMasHM96D5nQNIqU8surJY+1NGJigyopqtjwkqtqbL1CKAjqNUpfJA92QnV13o7z3K V9ED8rLd47smS+kYXxpsNsk+spWxnPfKVxZYHmOrJF2h71IFSqaysajMykEw2Mk3+1yo 4leR9Hfd6rN7NiNu8hsMJ0B6IHGVteFx1CeGKp+Kwz7YWt6/2YKrenH7fFHPci6dulQA FCrQ== X-Gm-Message-State: AOAM533rueCOK2z/2VS9wpxiA6UAZJumVcHAmDKj/HEbfZMzxXIlCzN9 BDqWFfnv4hIKneVispkemZB6JTDhXPMPQ+5GwuQicspbE3q5RQ== X-Google-Smtp-Source: ABdhPJwJXLBOQwZ/pf8EYJ3CSTk4ue8ep99tHvbtbMKP4T7AZFpZVAt3gDjyPItwAbQyxGBrHspWYtNJzh3t18/Oeow= X-Received: by 2002:aa7:c0c7:: with SMTP id j7mr5648004edp.298.1616095919748; Thu, 18 Mar 2021 12:31:59 -0700 (PDT) MIME-Version: 1.0 From: Alan Evangelista Date: Thu, 18 Mar 2021 16:31:48 -0300 Message-ID: Subject: Additional parameter in PROCTITLE.proctitle when executing rm To: Linux-Audit Mailing List X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/mixed; boundary="===============7508988812834514198==" --===============7508988812834514198== Content-Type: multipart/alternative; boundary="000000000000383a2605bdd4a72a" --000000000000383a2605bdd4a72a Content-Type: text/plain; charset="UTF-8" I'm trying to audit commands run in bash, including the commands arguments. The proctitle parameter in the PROCTITLE record seems to be the most reliable source to get that, but it does not contain exactly the "rm" command I have typed on bash. Example: 1) rm /data/test2,txt -f type=SYSCALL msg=audit(1616095201.302:40381): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=1b1f0c0 a2=0 a3=7fff3677a720 items=3 ppid=15954 pid=3398 auid=201327714 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2663 comm="rm" exe="/usr/bin/rm" key="filesystem_op" type=CWD msg=audit(1616095201.302:40381): cwd="/home/aevangelista" type=PATH msg=audit(1616095201.302:40381): item=0 name="/data/test2.txt" inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1616095201.302:40381): item=1 name="/data/" inode=64 dev=08:11 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1616095201.302:40381): item=2 name="/data/test2.txt" inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1616095201.302:40381): proctitle=726D002D69002F646174612F74657374322E747874002D66 The proctitle value 726D002D69002F646174612F74657374322E747874002D66 is equal to "rm-i /data/test2.txt -f" in ASCII. Where did this -i come from? Is it expected? Regards, Alan --000000000000383a2605bdd4a72a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I'm trying to audit commands run in bash, including th= e commands arguments. The proctitle parameter in the PROCTITLE record seems= to be the most reliable source to get that, but it does not contain exactl= y the "rm" command I have typed on bash. Example:

<= div>1) rm /data/test2,txt -f

type=3DSYSCALL msg=3D= audit(1616095201.302:40381): arch=3Dc000003e syscall=3D263 success=3Dyes ex= it=3D0 a0=3Dffffffffffffff9c a1=3D1b1f0c0 a2=3D0 a3=3D7fff3677a720 items=3D= 3 ppid=3D15954 pid=3D3398 auid=3D201327714 uid=3D0 gid=3D0 euid=3D0 suid=3D= 0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3Dpts0 ses=3D2663 comm=3D"= rm" exe=3D"/usr/bin/rm" key=3D"filesystem_op"
t= ype=3DCWD msg=3Daudit(1616095201.302:40381): =C2=A0cwd=3D"/home/aevang= elista"
type=3DPATH msg=3Daudit(1616095201.302:40381): item=3D0 nam= e=3D"/data/test2.txt" inode=3D38030531 dev=3D08:11 mode=3D0100644= ouid=3D0 ogid=3D0 rdev=3D00:00 objtype=3DNORMAL cap_fp=3D0000000000000000 = cap_fi=3D0000000000000000 cap_fe=3D0 cap_fver=3D0
type=3DPATH msg=3Daudi= t(1616095201.302:40381): item=3D1 name=3D"/data/" inode=3D64 dev= =3D08:11 mode=3D040755 ouid=3D0 ogid=3D0 rdev=3D00:00 objtype=3DPARENT cap_= fp=3D0000000000000000 cap_fi=3D0000000000000000 cap_fe=3D0 cap_fver=3D0
= type=3DPATH msg=3Daudit(1616095201.302:40381): item=3D2 name=3D"/data/= test2.txt" inode=3D38030531 dev=3D08:11 mode=3D0100644 ouid=3D0 ogid= =3D0 rdev=3D00:00 objtype=3DDELETE cap_fp=3D0000000000000000 cap_fi=3D00000= 00000000000 cap_fe=3D0 cap_fver=3D0
type=3DPROCTITLE msg=3Daudit(1616095= 201.302:40381): proctitle=3D726D002D69002F646174612F74657374322E747874002D6= 6

The proctitle value=C2=A0 726D002D69002F6461= 74612F74657374322E747874002D66 is equal to "rm-i /data/test2.txt -f&qu= ot; in ASCII. Where did this -i come from? Is it expected?


Regards,
Alan=C2=A0


--000000000000383a2605bdd4a72a-- --===============7508988812834514198== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit --===============7508988812834514198==--