On Sun, Apr 7, 2019 at 4:22 AM Steve Grubb <[email protected]> wrote: > On Fri, 5 Apr 2019 16:30:32 +0200 > "Ondra N." <[email protected]> wrote: > > it seems that the option fails to display the second object for rename > > action. > > To catch everyone up, it turns out this is audit-2.8.4 and kernel > 3.10.0-957.el7.x86_64.
Ondra, I'm not sure if you have any more recent kernels running, but have you seen the same issue on other kernel/userspace combinations? > > interactive format correctly show renaming the file > > 5M2w0d4eagxxig9KYM5.file to DyTbnH12dMV1nQsOxU.file > > > > ausearch -k test-ra -i > > > > type=PROCTITLE msg=audit(04/05/2019 13:57:22.489:110873) : > > proctitle=python3 populate_fs.py rename > > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=3 > > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/DyTbnH12dMV1nQsOxU.file > > inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 > > objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 > > There seems to be a missing DELETE path record here. What I see on my > system is 2 PARENT records, 2 DELETE records, and 1 CREATE record. The > two parents is for both items (obj1 & obj2). Then both objects get > deleted, and we are left with 1 object being created. This last create > record is what OBJ2 would be. Without the second DELETE, we wind > up on the wrong record looking for 'name'. > > Looking at the inodes, what is missing is the DELETE for the inode that > is being replaced with the tmp copy. Funny thing is, this works fine > for me on the same user space and kernel. > > Can you pass along a simplified reproducer? Shell script would be > preferred. > > Thanks, > -Steve > > > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=2 > > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file > > inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 > > objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 > > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=1 > > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/ > > inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 > > objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 > > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=0 > > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/ > > inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 > > objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 > > type=CWD msg=audit(04/05/2019 13:57:22.489:110873) : > > cwd=/push_agent/src/main/python/scripts > > type=SYSCALL msg=audit(04/05/2019 13:57:22.489:110873) : arch=x86_64 > > syscall=rename success=yes exit=0 a0=0x7f3259691b78 a1=0x7f3259691d70 > > a2=0xffffffff a3=0x7f3263f160e0 items=4 ppid=27421 pid=7653 auid=root > > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root > > fsgid=root tty=pts1 ses=5549 comm=python3 > > exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test-ra > > > > but csv format shows just empty column where the info about the > > object2 should be. > > > > ausearch -k test-ra --format csv --extra-obj2 > > > > ,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6 > > > > is this desired behaviour? -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
