syscall - "comm" field truncated

All of lore.kernel.org
 help / color / mirror / Atom feed

* syscall - "comm" field truncated
@ 2016-04-06 13:53 Lev Stipakov
  2016-04-06 14:05 ` Paul Moore
  0 siblings, 1 reply; 4+ messages in thread
From: Lev Stipakov @ 2016-04-06 13:53 UTC (permalink / raw)
  To: linux-audit

Hello,

Sometimes audit of "execve" syscall generates events with truncated 
"comm" values, for example:

type=SYSCALL msg=audit(1459950426.152:1097081): arch=c000003e syscall=59 
success=yes exit=0 a0=35bae3e a1=1bc0cf0 a2=2b09280 a3=58c items=2 
ppid=2183 pid=26566 auid=4294967295 uid=1001 gid=1001 euid=1001
suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) 
ses=4294967295 comm="gnome-calculato" exe="/usr/bin/gnome-calculator"

Why "comm" is "gnome-calculato" and not "/usr/bin/gnome-calculator" ?

Same for Firefiox:

type=SYSCALL msg=audit(1459950158.667:1092149): arch=c000003e syscall=59 
success=yes exit=0 a0=7f913ed1ddf0 a1=7f9144819be0 a2=7f9173f14400 
a3=786f666572696600 items=2 ppid=26165 pid=26247 auid=4294967295
  uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 
fsgid=1001 tty=(none) ses=4294967295 comm="plugin-containe" 
exe="/usr/lib/firefox/plugin-container"

comm is "plugin-containe" and not "plugin-container".

Audit version is 2.4.2-1ubuntu1.

-Lev

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: syscall - "comm" field truncated
  2016-04-06 13:53 syscall - "comm" field truncated Lev Stipakov
@ 2016-04-06 14:05 ` Paul Moore
  2016-04-06 14:37   ` Steve Grubb
  2016-04-06 15:21   ` Richard Guy Briggs
  0 siblings, 2 replies; 4+ messages in thread
From: Paul Moore @ 2016-04-06 14:05 UTC (permalink / raw)
  To: Lev Stipakov; +Cc: linux-audit

On Wed, Apr 6, 2016 at 9:53 AM, Lev Stipakov <lstipakov@gmail.com> wrote:
> Hello,
>
> Sometimes audit of "execve" syscall generates events with truncated "comm"
> values, for example:
>
> type=SYSCALL msg=audit(1459950426.152:1097081): arch=c000003e syscall=59
> success=yes exit=0 a0=35bae3e a1=1bc0cf0 a2=2b09280 a3=58c items=2 ppid=2183
> pid=26566 auid=4294967295 uid=1001 gid=1001 euid=1001
> suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none)
> ses=4294967295 comm="gnome-calculato" exe="/usr/bin/gnome-calculator"
>
> Why "comm" is "gnome-calculato" and not "/usr/bin/gnome-calculator" ?

This is due to a limitation in how the kernel records the comm field
and isn't likely to change.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: syscall - "comm" field truncated
  2016-04-06 14:05 ` Paul Moore
@ 2016-04-06 14:37   ` Steve Grubb
  2016-04-06 15:21   ` Richard Guy Briggs
  1 sibling, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2016-04-06 14:37 UTC (permalink / raw)
  To: linux-audit, Lev Stipakov

On Wednesday, April 06, 2016 10:05:35 AM Paul Moore wrote:
> On Wed, Apr 6, 2016 at 9:53 AM, Lev Stipakov <lstipakov@gmail.com> wrote:
> > Hello,
> > 
> > Sometimes audit of "execve" syscall generates events with truncated "comm"
> > values, for example:
> > 
> > type=SYSCALL msg=audit(1459950426.152:1097081): arch=c000003e syscall=59
> > success=yes exit=0 a0=35bae3e a1=1bc0cf0 a2=2b09280 a3=58c items=2
> > ppid=2183 pid=26566 auid=4294967295 uid=1001 gid=1001 euid=1001
> > suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none)
> > ses=4294967295 comm="gnome-calculato" exe="/usr/bin/gnome-calculator"
> > 
> > Why "comm" is "gnome-calculato" and not "/usr/bin/gnome-calculator" ?
> 
> This is due to a limitation in how the kernel records the comm field
> and isn't likely to change.

And just to add some history to this, there was a big discussion about this 
back when the AUDIT_PROCTITLE record was added to syscall events. (Jan 2014) 
Mainline kernel wouldn't allow it to be increased. So, we wound up with the 
PROCTITLE record which supplies the missing information and more.

-Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: syscall - "comm" field truncated
  2016-04-06 14:05 ` Paul Moore
  2016-04-06 14:37   ` Steve Grubb
@ 2016-04-06 15:21   ` Richard Guy Briggs
  1 sibling, 0 replies; 4+ messages in thread
From: Richard Guy Briggs @ 2016-04-06 15:21 UTC (permalink / raw)
  To: Paul Moore; +Cc: linux-audit

On 16/04/06, Paul Moore wrote:
> On Wed, Apr 6, 2016 at 9:53 AM, Lev Stipakov <lstipakov@gmail.com> wrote:
> > Hello,
> >
> > Sometimes audit of "execve" syscall generates events with truncated "comm"
> > values, for example:
> >
> > type=SYSCALL msg=audit(1459950426.152:1097081): arch=c000003e syscall=59
> > success=yes exit=0 a0=35bae3e a1=1bc0cf0 a2=2b09280 a3=58c items=2 ppid=2183
> > pid=26566 auid=4294967295 uid=1001 gid=1001 euid=1001
> > suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none)
> > ses=4294967295 comm="gnome-calculato" exe="/usr/bin/gnome-calculator"
> >
> > Why "comm" is "gnome-calculato" and not "/usr/bin/gnome-calculator" ?
> 
> This is due to a limitation in how the kernel records the comm field
> and isn't likely to change.

It is set in the kernel, in file include/linux/sched.h,
struct task_struct, member comm, with length TASK_COMM_LEN which is 16.

Changing it would break all kinds of stuff, so as was mentioned,
PROCTITLE is used to get the kind of information you seek.

> paul moore

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-04-06 15:21 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-06 13:53 syscall - "comm" field truncated Lev Stipakov
2016-04-06 14:05 ` Paul Moore
2016-04-06 14:37   ` Steve Grubb
2016-04-06 15:21   ` Richard Guy Briggs

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.