Hello,
I have set some file monitoring audit rules on a directory and the audit log
shows some entries like
ausearch -if $LOGDIR -a 448424 -i
NOTE - using logs in /qdap01/tax/logs/audit.log
----
type=PATH msg=audit(02/27/2017 13:50:13.917:448424) : item=1
name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG.tax.41.tmp1
inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
nametype=CREATE
type=PATH msg=audit(02/27/2017 13:50:13.917:448424) : item=0
name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=CWD msg=audit(02/27/2017 13:50:13.917:448424) :
cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635
type=SYSCALL msg=audit(02/27/2017 13:50:13.917:448424) : arch=i386 syscall=open
success=yes exit=5 a0=0x8be40c0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0
items=2 ppid=635 pid=677 auid=rmoroncelli uid=akatekar gid=mfradmin
euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin
fsgid=mfradmin tty=(none) ses=219531 comm=EXECPGM
exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM key=DFS_DATA
ausearch -if $LOGDIR -a 448424 --raw | aureport -i -f
NOTE - using logs in /qdap01/tax/logs/audit.log
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 02/27/2017 13:50:13 /qdap01/tax/data/seqfiles/DFS/ open yes
/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM rmoroncelli 448424
As you can see the full path of the file is available for the audit event, but
yet the aureport -f does not show the complete file name. Any idea why this is
happening and what should I do to get the full path as given in item1. It seems
for some reason, it always gives the filename in item0.
I have another entry where the inode is present but the name is (null).
ausearch -if $LOGDIR -a 448425 -i
NOTE - using logs in /qdap01/tax/logs/audit.log
----
type=PATH msg=audit(02/27/2017 13:50:14.862:448425) : item=1 name=(null)
inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
nametype=NORMAL
type=PATH msg=audit(02/27/2017 13:50:14.862:448425) : item=0
name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=CWD msg=audit(02/27/2017 13:50:14.862:448425) :
cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635
type=SYSCALL msg=audit(02/27/2017 13:50:14.862:448425) : arch=i386 syscall=open
success=yes exit=5 a0=0x914552a a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0
items=2 ppid=677 pid=803 auid=rmoroncelli uid=akatekar gid=mfradmin
euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin
fsgid=mfradmin tty=(none) ses=219531 comm=IEBGENER
exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER key=DFS_DATA
ausearch -if $LOGDIR -a 448425 --raw | aureport -i -f
NOTE - using logs in /qdap01/tax/logs/audit.log
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ open yes
/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER rmoroncelli 448425
Why is this coming as null for item1?
Another entry has a rename SYSCALL, which comes out
ausearch -if $LOGDIR -a 448427 -i
NOTE - using logs in /qdap01/tax/logs/audit.log
----
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=3
name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_08 inode=6703
dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 nametype=CREATE
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=2
name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_07 inode=6703
dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 nametype=DELETE
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=1
name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=0
name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT
type=CWD msg=audit(02/27/2017 13:50:14.939:448427) :
cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635
type=SYSCALL msg=audit(02/27/2017 13:50:14.939:448427) : arch=i386
syscall=rename success=yes exit=0 a0=0xfff3b160 a1=0xfff3ad60 a2=0x7
a3=0xfff3b160 items=4 ppid=840 pid=843 auid=rmoroncelli uid=akatekar
gid=mfradmin euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin
sgid=mfradmin fsgid=mfradmin tty=(none) ses=219531 comm=gdgen
exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen key=DFS_DATA
ausearch -if $LOGDIR -a 448427 -r | aureport -i -f
NOTE - using logs in /qdap01/tax/logs/audit.log
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ rename yes
/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen rmoroncelli 448427
How can we get both the filenames (in item3 and item2) in the aureport?
Finally, can we have uid come out in the aureport along with auid? Any
option/arguments that might help?
Sorry, if this has already been asked many times, but I did not get my answers
with the limited search that I did.
Thanks in advance for the help.
Regards,
Amit Katekar.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
