From mboxrd@z Thu Jan  1 00:00:00 1970
From: Lev Stipakov <lstipakov@gmail.com>
Subject: syscall - "comm" field truncated
Date: Wed, 6 Apr 2016 16:53:50 +0300
Message-ID: <ne34de$drk$1@ger.gmane.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com
	[10.5.110.30])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id u36Ds5ut020023
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Wed, 6 Apr 2016 09:54:05 -0400
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 81F983B706
	for <linux-audit@redhat.com>; Wed,  6 Apr 2016 13:54:04 +0000 (UTC)
Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <glrsa-linux-audit@m.gmane.org>) id 1annu8-0000hy-BS
	for linux-audit@redhat.com; Wed, 06 Apr 2016 15:53:56 +0200
Received: from fsgw.f-secure.com ([193.110.108.33])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <linux-audit@redhat.com>; Wed, 06 Apr 2016 15:53:56 +0200
Received: from lstipakov by fsgw.f-secure.com with local (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <linux-audit@redhat.com>; Wed, 06 Apr 2016 15:53:56 +0200
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

Sometimes audit of "execve" syscall generates events with truncated 
"comm" values, for example:

type=SYSCALL msg=audit(1459950426.152:1097081): arch=c000003e syscall=59 
success=yes exit=0 a0=35bae3e a1=1bc0cf0 a2=2b09280 a3=58c items=2 
ppid=2183 pid=26566 auid=4294967295 uid=1001 gid=1001 euid=1001
suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) 
ses=4294967295 comm="gnome-calculato" exe="/usr/bin/gnome-calculator"

Why "comm" is "gnome-calculato" and not "/usr/bin/gnome-calculator" ?

Same for Firefiox:

type=SYSCALL msg=audit(1459950158.667:1092149): arch=c000003e syscall=59 
success=yes exit=0 a0=7f913ed1ddf0 a1=7f9144819be0 a2=7f9173f14400 
a3=786f666572696600 items=2 ppid=26165 pid=26247 auid=4294967295
  uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 
fsgid=1001 tty=(none) ses=4294967295 comm="plugin-containe" 
exe="/usr/lib/firefox/plugin-container"

comm is "plugin-containe" and not "plugin-container".

Audit version is 2.4.2-1ubuntu1.

-Lev