On Thursday, February 6, 2020 1:33:19 PM EST Lenny Bruzenak wrote: > > Doesn't seem much better: > > > > type=PROCTITLE msg=audit(02/06/2020 10:58:23.626:119631) : > > proctitle=/bin/bash /usr/bin/thunderbird > > type=SYSCALL msg=audit(02/06/2020 10:58:23.626:119631) : arch=x86_64 > > syscall=ftruncate success=yes exit=0 a0=0x4a a1=0x28 a2=0x7f1e41600018 > > a3=0xfffffe00 items=0 ppid=2451 pid=3561 auid=USER uid=USER gid=USER > > euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) > > ses=1 comm=thunderbird exe=/usr/lib64/thunderbird/thunderbird > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > key=watched_users > > Why no PATH entry? I have them for things like open: > > The kernel guys can probably answer this accurately.
I would have thought that they would have chimed in by now. Since they didn't you might want to file an issue on github. I think you found a problem that someone should look into some day. https://github.com/linux-audit/audit-kernel/issues -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
