Very curious. I tried again with new kernel and no change in results:
$ cat /proc/version_signature Ubuntu 5.4.0-12.15-generic 5.4.8 $ uname -a Linux millbarge 5.4.0-12-generic #15-Ubuntu SMP Tue Jan 21 15:12:29 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ apt policy fatrace fatrace: Installed: 0.13-2 Candidate: 0.13-2 Version table: *** 0.13-2 500 500 http://wopr/ubuntu focal/universe amd64 Packages 100 /var/lib/dpkg/status
journalctl -f output while testing:
Jan 30 19:00:48 millbarge audit[1440438]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=55f754fc09f0 a1=55f754fb00a0 a2=55f754fb5a70 a3=8 items=2 ppid=22587 pid=1440438 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm="sudo" exe="/usr/bin/sudo" key="execpriv" Jan 30 19:00:48 millbarge audit: EXECVE argc=2 a0="sudo" a1="fatrace" Jan 30 19:00:48 millbarge audit: CWD cwd="/home/sarnold" Jan 30 19:00:48 millbarge audit: PATH item=0 name="/usr/bin/sudo" inode=51282 dev=00:1b mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Jan 30 19:00:48 millbarge audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" inode=9834 dev=00:1b mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Jan 30 19:00:48 millbarge audit: PROCTITLE proctitle=7375646F0066617472616365 Jan 30 19:00:48 millbarge sudo[1440438]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory Jan 30 19:00:49 millbarge sudo[1440438]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory Jan 30 19:00:49 millbarge audit[1440438]: USER_AUTH pid=1440438 uid=1000 auid=1000 ses=1 msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' Jan 30 19:00:49 millbarge audit[1440438]: USER_ACCT pid=1440438 uid=1000 auid=1000 ses=1 msg='op=PAM:accounting grantors=pam_permit acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' Jan 30 19:00:49 millbarge sudo[1440438]: sarnold : TTY=pts/2 ; PWD=/home/sarnold ; USER=root ; COMMAND=/usr/sbin/fatrace Jan 30 19:00:49 millbarge audit[1440438]: USER_CMD pid=1440438 uid=1000 auid=1000 ses=1 msg='cwd="/home/sarnold" cmd="fatrace" terminal=pts/2 res=success' Jan 30 19:00:49 millbarge audit[1440438]: CRED_REFR pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' Jan 30 19:00:49 millbarge sudo[1440438]: pam_unix(sudo:session): session opened for user root by sarnold(uid=0) Jan 30 19:00:49 millbarge audit[1440438]: USER_START pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' Jan 30 19:00:57 millbarge bash[1005653]: Thu, 30 Jan 2020 19:00:57 +0000 src 46 (fix: 3) currently receiving: 0,3@0 0,9@0 0,16@0 0,22@0 0,23@0 0,26@0 2,1@1 2,4@1 2,21@1 3,14@0 3,24@0 3,25@0 Jan 30 19:01:03 millbarge sudo[1440438]: pam_unix(sudo:session): session closed for user root Jan 30 19:01:03 millbarge audit[1440438]: USER_END pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' Jan 30 19:01:03 millbarge audit[1440438]: CRED_DISP pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
tail -F /var/log/audit/audit.log output while testing:
type=SYSCALL msg=audit(1580410848.032:15175): arch=c000003e syscall=59 success=yes exit=0 a0=55f754fc09f0 a1=55f754fb00a0 a2=55f754fb5a70 a3=8 items=2 ppid=22587 pid=1440438 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm="sudo" exe="/usr/bin/sudo" key="execpriv" type=EXECVE msg=audit(1580410848.032:15175): argc=2 a0="sudo" a1="fatrace" type=CWD msg=audit(1580410848.032:15175): cwd="/home/sarnold" type=PATH msg=audit(1580410848.032:15175): item=0 name="/usr/bin/sudo" inode=51282 dev=00:1b mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1580410848.032:15175): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=9834 dev=00:1b mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PROCTITLE msg=audit(1580410848.032:15175): proctitle=7375646F0066617472616365 type=USER_AUTH msg=audit(1580410849.140:15176): pid=1440438 uid=1000 auid=1000 ses=1 msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' type=USER_ACCT msg=audit(1580410849.140:15177): pid=1440438 uid=1000 auid=1000 ses=1 msg='op=PAM:accounting grantors=pam_permit acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' type=USER_CMD msg=audit(1580410849.140:15178): pid=1440438 uid=1000 auid=1000 ses=1 msg='cwd="/home/sarnold" cmd="fatrace" terminal=pts/2 res=success' type=CRED_REFR msg=audit(1580410849.140:15179): pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' type=USER_START msg=audit(1580410849.140:15180): pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' type=USER_END msg=audit(1580410863.888:15181): pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:session_close grantors=pam_env,pam_env,pam_permit,pam_umask,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' type=CRED_DISP msg=audit(1580410863.892:15182): pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Thanks
Very curious. I tried again with new kernel and no change in results:
$ cat /proc/version_ signature
Ubuntu 5.4.0-12.15-generic 5.4.8
$ uname -a
Linux millbarge 5.4.0-12-generic #15-Ubuntu SMP Tue Jan 21 15:12:29 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ apt policy fatrace wopr/ubuntu focal/universe amd64 Packages dpkg/status
fatrace:
Installed: 0.13-2
Candidate: 0.13-2
Version table:
*** 0.13-2 500
500 http://
100 /var/lib/
journalctl -f output while testing:
Jan 30 19:00:48 millbarge audit[1440438]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=55f754fc09f0 a1=55f754fb00a0 a2=55f754fb5a70 a3=8 items=2 ppid=22587 pid=1440438 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm="sudo" exe="/usr/bin/sudo" key="execpriv" usr/bin/ sudo" inode=51282 dev=00:1b mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 lib64/ld- linux-x86- 64.so.2" inode=9834 dev=00:1b mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 7375646F0066617 472616365 sudo:auth) : Couldn't open /etc/securetty: No such file or directory sudo:auth) : Couldn't open /etc/securetty: No such file or directory PAM:authenticat ion grantors= pam_permit, pam_cap acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' PAM:accounting grantors=pam_permit acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' /usr/sbin/ fatrace "/home/ sarnold" cmd="fatrace" terminal=pts/2 res=success' pam_permit, pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' sudo:session) : session opened for user root by sarnold(uid=0) PAM:session_ open grantors= pam_env, pam_env, pam_permit, pam_umask, pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' sudo:session) : session closed for user root PAM:session_ close grantors= pam_env, pam_env, pam_permit, pam_umask, pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
Jan 30 19:00:48 millbarge audit: EXECVE argc=2 a0="sudo" a1="fatrace"
Jan 30 19:00:48 millbarge audit: CWD cwd="/home/sarnold"
Jan 30 19:00:48 millbarge audit: PATH item=0 name="/
Jan 30 19:00:48 millbarge audit: PATH item=1 name="/
Jan 30 19:00:48 millbarge audit: PROCTITLE proctitle=
Jan 30 19:00:48 millbarge sudo[1440438]: pam_unix(
Jan 30 19:00:49 millbarge sudo[1440438]: pam_unix(
Jan 30 19:00:49 millbarge audit[1440438]: USER_AUTH pid=1440438 uid=1000 auid=1000 ses=1 msg='op=
Jan 30 19:00:49 millbarge audit[1440438]: USER_ACCT pid=1440438 uid=1000 auid=1000 ses=1 msg='op=
Jan 30 19:00:49 millbarge sudo[1440438]: sarnold : TTY=pts/2 ; PWD=/home/sarnold ; USER=root ; COMMAND=
Jan 30 19:00:49 millbarge audit[1440438]: USER_CMD pid=1440438 uid=1000 auid=1000 ses=1 msg='cwd=
Jan 30 19:00:49 millbarge audit[1440438]: CRED_REFR pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=
Jan 30 19:00:49 millbarge sudo[1440438]: pam_unix(
Jan 30 19:00:49 millbarge audit[1440438]: USER_START pid=1440438 uid=0 auid=1000 ses=1 msg='op=
Jan 30 19:00:57 millbarge bash[1005653]: Thu, 30 Jan 2020 19:00:57 +0000 src 46 (fix: 3) currently receiving: 0,3@0 0,9@0 0,16@0 0,22@0 0,23@0 0,26@0 2,1@1 2,4@1 2,21@1 3,14@0 3,24@0 3,25@0
Jan 30 19:01:03 millbarge sudo[1440438]: pam_unix(
Jan 30 19:01:03 millbarge audit[1440438]: USER_END pid=1440438 uid=0 auid=1000 ses=1 msg='op=
Jan 30 19:01:03 millbarge audit[1440438]: CRED_DISP pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
tail -F /var/log/ audit/audit. log output while testing:
type=SYSCALL msg=audit( 1580410848. 032:15175) : arch=c000003e syscall=59 success=yes exit=0 a0=55f754fc09f0 a1=55f754fb00a0 a2=55f754fb5a70 a3=8 items=2 ppid=22587 pid=1440438 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm="sudo" exe="/usr/bin/sudo" key="execpriv" 1580410848. 032:15175) : argc=2 a0="sudo" a1="fatrace" 1580410848. 032:15175) : cwd="/home/sarnold" 1580410848. 032:15175) : item=0 name="/ usr/bin/ sudo" inode=51282 dev=00:1b mode=0104755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 1580410848. 032:15175) : item=1 name="/ lib64/ld- linux-x86- 64.so.2" inode=9834 dev=00:1b mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 1580410848. 032:15175) : proctitle= 7375646F0066617 472616365 1580410849. 140:15176) : pid=1440438 uid=1000 auid=1000 ses=1 msg='op= PAM:authenticat ion grantors= pam_permit, pam_cap acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' 1580410849. 140:15177) : pid=1440438 uid=1000 auid=1000 ses=1 msg='op= PAM:accounting grantors=pam_permit acct="sarnold" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' 1580410849. 140:15178) : pid=1440438 uid=1000 auid=1000 ses=1 msg='cwd= "/home/ sarnold" cmd="fatrace" terminal=pts/2 res=success' 1580410849. 140:15179) : pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors= pam_permit, pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' 1580410849. 140:15180) : pid=1440438 uid=0 auid=1000 ses=1 msg='op= PAM:session_ open grantors= pam_env, pam_env, pam_permit, pam_umask, pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' 1580410863. 888:15181) : pid=1440438 uid=0 auid=1000 ses=1 msg='op= PAM:session_ close grantors= pam_env, pam_env, pam_permit, pam_umask, pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success' 1580410863. 892:15182) : pid=1440438 uid=0 auid=1000 ses=1 msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/2 res=success'
type=EXECVE msg=audit(
type=CWD msg=audit(
type=PATH msg=audit(
type=PATH msg=audit(
type=PROCTITLE msg=audit(
type=USER_AUTH msg=audit(
type=USER_ACCT msg=audit(
type=USER_CMD msg=audit(
type=CRED_REFR msg=audit(
type=USER_START msg=audit(
type=USER_END msg=audit(
type=CRED_DISP msg=audit(
Thanks