From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 21DC3C10DCE for ; Fri, 6 Mar 2020 17:00:08 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CE1762146E for ; Fri, 6 Mar 2020 17:00:07 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="E3V9J/7y" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CE1762146E Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1583514006; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=QwMi5aUT1+kh6jK4+DkSvnVtOTk6h32toHQPWQZc62k=; b=E3V9J/7y0p6JDU8HH5kUUhdFhgTesa7D5KQGsPyhTHC1NQ630WwyNYfg5cSDH/uyCHCj0n d0CBffOGyB1CsgY5O3RJcLsf0kk19hPjn+1HBg31+dJmquL7LjcB+Rl9M5XjRob5ucq6qp Ry0vytjSGsvX7Ddgq4jRi+h130ywRZQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-75--asNtIqRNaGiDBkiKCh2Bw-1; Fri, 06 Mar 2020 12:00:04 -0500 X-MC-Unique: -asNtIqRNaGiDBkiKCh2Bw-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DB7291034B06; Fri, 6 Mar 2020 17:00:00 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 431F18D57C; Fri, 6 Mar 2020 16:59:59 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C393818089CD; Fri, 6 Mar 2020 16:59:56 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 026Gxr14028262 for ; Fri, 6 Mar 2020 11:59:53 -0500 Received: by smtp.corp.redhat.com (Postfix) id D1C635DA7D; Fri, 6 Mar 2020 16:59:53 +0000 (UTC) Received: from x2.localnet (ovpn-117-13.phx2.redhat.com [10.3.117.13]) by smtp.corp.redhat.com (Postfix) with ESMTP id B3BCE5DA2C; Fri, 6 Mar 2020 16:59:50 +0000 (UTC) From: Steve Grubb To: Casey Schaufler Subject: Re: Is auditing ftruncate useful? Date: Fri, 06 Mar 2020 11:59:50 -0500 Message-ID: <2633528.kLtZZfLx0Y@x2> Organization: Red Hat In-Reply-To: References: <5599a207-7054-af2e-6d10-0421154168b8@nwra.com> <4b16e97a-49d7-d558-0d87-7cdff23888b5@nwra.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: linux-audit@redhat.com Cc: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Monday, February 10, 2020 6:29:22 PM EST Casey Schaufler wrote: > On 2/10/2020 3:05 PM, Orion Poplawski wrote: > > On 2/10/20 3:54 PM, Paul Moore wrote: > > So, this is all reasonable. But why do I get this with fchown which also > > takes a file descriptor? > > ... > > > > It's this disparity between fchown and ftruncate that caught my > > attention. > > fchown changes the security state (mode bits) of the file, > whereas ftruncate changes the content of the file. The former > is clearly security relevant, the latter is not. Well, security relevant or not, the requirement that the rule meets is located here: https://www.niap-ccevs.org/MMO/PP/-442-/#fau File and object events (Successful and unsuccessful attempts to create, access, delete, modify, modify permissions), Since they separate modify and modify permissions, they clearly want changes to content. Now, in the real world is that necessary? Maybe only in super important scenarios where you have to know any change to anything. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit