Hi, On Mon, Feb 28, 2022 at 2:46 PM Mark Gardner <m...@klas.com> wrote: > [snip]
> [root@localhost test]# ausearch -k test --format text -ts recent > > At 14:10:55 02/28/2022 root successfully opened-file using /usr/bin/cp > At 14:11:37 02/28/2022 root successfully deleted using /usr/bin/rm > At 14:13:16 02/28/2022 system, acting as root, successfully remove_rule test > using /usr/sbin/auditctl > At 14:14:11 02/28/2022 root successfully add_rule test using > /usr/sbin/auditctl > At 14:14:23 02/28/2022 root successfully opened-file using /usr/bin/cp > At 14:14:30 02/28/2022 root successfully deleted using /usr/bin/rm > [root@localhost test]# > > Notice no information on what file was copied / removed? > I was able to reproduce this issue with 3.0.7 and submitted a fix that was merged upstream as commit becc1c. I now get the following output, with the patched version: At 16:46:10 03/09/2022 root successfully add_rule test using /usr/sbin/auditctl At 16:46:16 03/09/2022 root successfully opened-file /root/test/hosts using /usr/bin/cp At 16:46:23 03/09/2022 root successfully deleted /root/test/hosts using /usr/bin/rm With 3.0.7, I would get this: At 16:46:10 03/09/2022 root successfully add_rule test using /usr/sbin/auditctl At 16:46:16 03/09/2022 root successfully opened-file using /usr/bin/cp At 16:46:23 03/09/2022 root successfully deleted using /usr/bin/rm Best Regards, Sergio -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit