Closed opoplawski closed 4 years ago
Upstream mailing list thread: https://www.redhat.com/archives/linux-audit/2020-February/msg00021.html
I wanted to reply to the other things on-list, but there was one thing in this GH issue which wasn't part of the mailing list thread, so I'll reply here ...
Also, I see that the key and ARCH fields run together: key="ftruncate"ARCH=x86_64. Not sure if that is an issue or not, but seems odd.
You might want to raise this with @stevegrubb as I believe the "ARCH=x86_64" is being added by his userspace tools as part of the userspace annotations (e.g. translating token values such as UIDs into strings).
Answered on-list, closing: https://www.redhat.com/archives/linux-audit/2020-February/msg00041.html
With audit rule:
I'm getting in audit.log:
Why is there not a PATH record? I do see one with other f* calls such as fchown.
Seen with: 3.10.0-1062.12.1.el7.x86_64 4.18.0-167.el8.x86_64 5.5.0-0.rc6.git3.1.fc32.x86_64
Also, I see that the key and ARCH fields run together:
key="ftruncate"ARCH=x86_64
. Not sure if that is an issue or not, but seems odd.