On Thursday, March 9, 2017 2:30:33 PM EDT Steve Grubb wrote: > Hello, > > On Monday, February 27, 2017 9:05:18 PM EST Kaptaan wrote: > > I have set some file monitoring audit rules on a directory and the audit > > log shows some entries like > > > > ausearch -if $LOGDIR -a 448424 -i > > NOTE - using logs in /qdap01/tax/logs/audit.log > > ---- > > type=PATH msg=audit(02/27/2017 13:50:13.917:448424) : item=1 > > name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG.tax.41.tmp1 > > inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 > > nametype=CREATE type=PATH msg=audit(02/27/2017 13:50:13.917:448424) : > > item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 > > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD > > msg=audit(02/27/2017 13:50:13.917:448424) : > > cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL > > msg=audit(02/27/2017 13:50:13.917:448424) : arch=i386 syscall=open > > success=yes exit=5 a0=0x8be40c0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0 > > items=2 ppid=635 pid=677 auid=rmoroncelli uid=akatekar gid=mfradmin > > euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin > > fsgid=mfradmin tty=(none) ses=219531 comm=EXECPGM > > exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM key=DFS_DATA > > > > ausearch -if $LOGDIR -a 448424 --raw | aureport -i -f > > NOTE - using logs in /qdap01/tax/logs/audit.log > > > > File Report > > =============================================== > > # date time file syscall success exe auid event > > =============================================== > > 1. 02/27/2017 13:50:13 /qdap01/tax/data/seqfiles/DFS/ open yes > > /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM rmoroncelli 448424 > > > > As you can see the full path of the file is available for the audit event, > > but yet the aureport -f does not show the complete file name. Any idea why > > this is happening and what should I do to get the full path as given in > > item1. It seems for some reason, it always gives the filename in item0. > > A long time ago, the kernel only produced one PATH record. So, aureport > printed one PATH record. Ausearch and Aureport share the same record parser. > At some point in the past, it was decided that we are going to get multiple > PATH records that describe different things about the event. So, work was > done in the parser to locate all of the pieces for searching. But work was > not done on the aureport file report. So, what you are seing is the first > PATH record which is the directory. > > > I have another entry where the inode is present but the name is (null). > > > > ausearch -if $LOGDIR -a 448425 -i > > NOTE - using logs in /qdap01/tax/logs/audit.log > > ---- > > type=PATH msg=audit(02/27/2017 13:50:14.862:448425) : item=1 name=(null) > > inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 > > nametype=NORMAL type=PATH msg=audit(02/27/2017 13:50:14.862:448425) : > > item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 > > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD > > msg=audit(02/27/2017 13:50:14.862:448425) : > > cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL > > msg=audit(02/27/2017 13:50:14.862:448425) : arch=i386 syscall=open > > success=yes exit=5 a0=0x914552a a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0 > > items=2 ppid=677 pid=803 auid=rmoroncelli uid=akatekar gid=mfradmin > > euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin > > fsgid=mfradmin tty=(none) ses=219531 comm=IEBGENER > > exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER key=DFS_DATA > > > > ausearch -if $LOGDIR -a 448425 --raw | aureport -i -f > > NOTE - using logs in /qdap01/tax/logs/audit.log > > > > File Report > > =============================================== > > # date time file syscall success exe auid event > > =============================================== > > 1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ open yes > > /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER rmoroncelli 448425 > > > > Why is this coming as null for item1? > > I couldn't tell you the exact reason, but its something along the lines of > the name was not available. You might say, isn't the name one of the > parameters passed to the open syscall? And I'd say yep. Maybe one of these > days it will get used when path name resolution fails. > > > Another entry has a rename SYSCALL, which comes out > > > > ausearch -if $LOGDIR -a 448427 -i > > NOTE - using logs in /qdap01/tax/logs/audit.log > > ---- > > type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=3 > > name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_08 inode=6703 > > dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 > > nametype=CREATE type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : > > item=2 name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_07 > > inode=6703 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00 > > nametype=DELETE type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : > > item=1 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 > > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=PATH > > msg=audit(02/27/2017 13:50:14.939:448427) : item=0 > > name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770 > > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD > > msg=audit(02/27/2017 13:50:14.939:448427) : > > cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL > > msg=audit(02/27/2017 13:50:14.939:448427) : arch=i386 syscall=rename > > success=yes exit=0 a0=0xfff3b160 a1=0xfff3ad60 a2=0x7 a3=0xfff3b160 > > items=4 > > ppid=840 pid=843 auid=rmoroncelli uid=akatekar gid=mfradmin euid=akatekar > > suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin fsgid=mfradmin > > tty=(none) ses=219531 comm=gdgen > > exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen key=DFS_DATA > > > > > > ausearch -if $LOGDIR -a 448427 -r | aureport -i -f > > NOTE - using logs in /qdap01/tax/logs/audit.log > > > > File Report > > =============================================== > > # date time file syscall success exe auid event > > =============================================== > > 1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ rename yes > > /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen rmoroncelli 448427 > > > > How can we get both the filenames (in item3 and item2) in the aureport? > > Aureport has never supported that. I'd say that perhaps it should be changed > to skip parent records if the other ones don't have (null).
This has been put into the next release which should go out tomorrow. It will now pick the first non-parent record. This should be closer to what you want. -Steve > > Finally, can we have uid come out in the aureport along with auid? Any > > option/arguments that might help? > > Nope. That would take reworking the output of aureport. > > -Steve > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
