From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Is auditing ftruncate useful?
Date: Fri, 07 Feb 2020 14:17:17 -0500
Message-ID: <1758232.KkKbY19U6n@x2>
References: <5599a207-7054-af2e-6d10-0421154168b8@nwra.com>
	<8010cdd2-468b-ac87-54f1-2846baf28d28@nwra.com>
	<57c2b1a1-5406-4d77-9dc5-ad6c99b987a8@magitekltd.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <57c2b1a1-5406-4d77-9dc5-ad6c99b987a8@magitekltd.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, February 6, 2020 1:33:19 PM EST Lenny Bruzenak wrote:
> > Doesn't seem much better:
> > 
> > type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) :
> > proctitle=/bin/bash /usr/bin/thunderbird
> > type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64
> > syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0x7f1e41600018
> > a3=0xfffffe00 items=0 ppid=2451 pid=3561 auid=USER uid=USER gid=USER
> > euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none)
> > ses=1 comm=thunderbird exe=/usr/lib64/thunderbird/thunderbird
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=watched_users
> > Why no PATH entry?  I have them for things like open:
>
> The kernel guys can probably answer this accurately.

I would have thought that they would have chimed in by now. Since they didn't 
you might want to file an issue on github. I think you found a problem that 
someone should look into some day.

https://github.com/linux-audit/audit-kernel/issues

-Steve