RFE: ftruncate(2) audit does not generate PATH entries

[opoplawski]

With audit rule:

-a always,exit -F arch=b64 -S ftruncate -k ftruncate

I'm getting in audit.log:

type=SYSCALL msg=audit(1581116927.390:1176): arch=c000003e syscall=77 success=yes exit=0 a0=17 a1=1000000 a2=55c655843630 a3=0 items=0 ppid=1 pid=537 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-journal" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key="ftruncate"ARCH=x86_64 SYSCALL=ftruncate AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1581116927.390:1176): proctitle="/usr/lib/systemd/systemd-journald"

Why is there not a PATH record? I do see one with other f* calls such as fchown.

Seen with: 3.10.0-1062.12.1.el7.x86_64 4.18.0-167.el8.x86_64 5.5.0-0.rc6.git3.1.fc32.x86_64

Also, I see that the key and ARCH fields run together: key="ftruncate"ARCH=x86_64. Not sure if that is an issue or not, but seems odd.

[pcmoore]

Upstream mailing list thread: https://www.redhat.com/archives/linux-audit/2020-February/msg00021.html

[pcmoore]

I wanted to reply to the other things on-list, but there was one thing in this GH issue which wasn't part of the mailing list thread, so I'll reply here ...

Also, I see that the key and ARCH fields run together: key="ftruncate"ARCH=x86_64. Not sure if that is an issue or not, but seems odd.

You might want to raise this with @stevegrubb as I believe the "ARCH=x86_64" is being added by his userspace tools as part of the userspace annotations (e.g. translating token values such as UIDs into strings).

[pcmoore]

Answered on-list, closing: https://www.redhat.com/archives/linux-audit/2020-February/msg00041.html