Description of problem: When experimenting with the ANOM_LINK event creation, it was found that the proctitle record seemed to have the exe of the ppid instead of the pid's. Version-Release number of selected component (if applicable): 4.1.6-200.fc22.x86_64 How reproducible: Always Steps to Reproduce: As a normal user: cd /tmp ln -s /bin/passwd my-passwd Then as root: ausearch --start recent -m anom_link -i verify you have nothing chown lp /tmp/my-passwd <- but use tab completion after /tmp/m this will fail ausearch --start recent -m anom_link -i | grep PROCTITLE Actual results: type=PROCTITLE msg=audit(08/27/2015 19:22:40.823:1246) : proctitle=-bash type=PROCTITLE msg=audit(08/27/2015 19:22:40.824:1247) : proctitle=su - root type=PROCTITLE msg=audit(08/27/2015 19:22:40.824:1248) : proctitle=su - root type=PROCTITLE msg=audit(08/27/2015 19:22:43.489:1249) : proctitle=chown lp /tmp/my-passwd Expected results: I would not expect su to be involved.
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 22 kernel bugs. Fedora 22 has now been rebased to 4.2.3-200.fc22. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 23, and are still experiencing this issue, please change the version to Fedora 23. If you experience different issues, please open a new bug report for those.
Moving to Rawhide to avoid Fedora MASS BUG UPDATEs.
I'm going to mark this as CLOSED/DEFERRED since we are tracking upstream bugs on GitHub now. * https://github.com/linux-audit/audit-kernel/issues/15