Hi, this issue has been already reported by me at github linux-audit / audit-userspace issues site, but Steve Grubb suggested to write here to report the issue to the kernel part developers.
Just in case original thread You can find under this link: https://github.com/linux-audit/audit-userspace/issues/298 entitled: The directory removing loses a fraction of path. Problem description. (Slightly changed regarding to the original thread.) When deleting a directory, there is not enough information in the 'audit.log' file to reconstruct the full path to the deleted file as well as to the deleted directory. When the following sequence of commands is run in bash, we get the information presented below in the 'audit.log' file. Apart from two cases, all others do not allow to reconstruct the full path from records 'CWD' and 'PATH'. ---- command sequence ---- # cd /root # mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1 # rm -rf dir1/dir2 # ausearch -i -ts 02/20/2023 09:37:00 -te 02/20/2023 09:38:00 > relative_without_trailing_slash.txt # mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1 # rm -rf dir1/dir2/ # ausearch -i -ts 02/20/2023 09:38:00 -te 02/20/2023 09:39:00 > relative_with_trailing_slash.txt # mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1 # rm -rf /root/dir1/dir2/ # ausearch -i -ts 02/20/2023 09:39:00 -te 02/20/2023 09:40:00 > absolute_with_trailing_slash.txt # mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1 # rm -rf /root/dir1/dir2 # ausearch -i -ts 02/20/2023 09:40:00 -te 02/20/2023 09:41:00 > absolute_without_trailing_slash.txt ---- results ---- ---- # cat relative_without_trailing_slash.txt # (edited) ---- type=PROCTITLE : proctitle=rm -i -rf dir1/dir2 type=PATH : item=1 name=file1 nametype=DELETE type=PATH : item=0 name=/root nametype=PARENT type=CWD : cwd=/root ---- type=PROCTITLE : proctitle=rm -i -rf dir1/dir2 type=PATH : item=1 name=dir3 nametype=DELETE type=PATH : item=0 name=/root nametype=PARENT type=CWD : cwd=/root ---- type=PROCTITLE : proctitle=rm -i -rf dir1/dir2 type=PATH : item=1 name=dir1/dir2 nametype=DELETE type=PATH : item=0 name=dir1/ nametype=PARENT type=CWD : cwd=/root ---- ---- # cat relative_with_trailing_slash.txt # (edited) ---- type=PROCTITLE : proctitle=rm -i -rf dir1/dir2/ type=PATH : item=1 name=file1 nametype=DELETE type=PATH : item=0 name=/root nametype=PARENT type=CWD : cwd=/root ---- type=PROCTITLE : proctitle=rm -i -rf dir1/dir2/ type=PATH : item=1 name=dir3 nametype=DELETE type=PATH : item=0 name=/root nametype=PARENT type=CWD : cwd=/root ---- type=PROCTITLE : proctitle=rm -i -rf dir1/dir2/ type=PATH : item=2 name=(null) nametype=DELETE type=PATH : item=1 name=(null) nametype=PARENT type=PATH : item=0 name=dir1/ nametype=PARENT type=CWD : cwd=/root ---- ---- # cat absolute_with_trailing_slash.txt # (edited) ---- type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2/ type=PATH : item=1 name=file1 nametype=DELETE type=PATH : item=0 name=/root nametype=PARENT type=CWD : cwd=/root ---- type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2/ type=PATH : item=1 name=dir3 nametype=DELETE type=PATH : item=0 name=/root nametype=PARENT type=CWD : cwd=/root ---- type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2/ type=PATH : item=2 name=(null) nametype=DELETE type=PATH : item=1 name=(null) nametype=PARENT type=PATH : item=0 name=/root/dir1/ nametype=PARENT type=CWD : cwd=/root ---- ---- # cat absolute_without_trailing_slash.txt # (edited) ---- type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2 type=PATH : item=1 name=file1 nametype=DELETE type=PATH : item=0 name=/root nametype=PARENT type=CWD : cwd=/root ---- type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2 type=PATH : item=1 name=dir3 nametype=DELETE type=PATH : item=0 name=/root nametype=PARENT type=CWD : cwd=/root ---- type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2 type=PATH : item=1 name=/root/dir1/dir2 nametype=DELETE type=PATH : item=0 name=/root/dir1/ nametype=PARENT type=CWD : cwd=/root ---- Tested on RedHat 9.0, Alma 9.0 kernel - 5.14.0-70.13.1.el9_0.x86_6 packages - audit.x86_64, audit-libs.x86_64 - 3.0.7-103.el9 RedHat 8.6, Alma 8.6 kernel - 4.18.0-372.9.1.el8.x86_64 packages - audit.x86_64, audit-libs.x86_64 - 3.0.7-4.el8 RedHat 7.9, Centos 7.9 kernel - 3.10.0-1160.80.1.el7.x86_64 packages - audit.x86_64, audit-libs.x86_64 - 2.8.5-4.el7 Ubuntu 22.04.2 kernel - 5.15.0-60-generic packages - auditd, libaudit-common, libaudit-dev:amd64, libaudit1:amd64 -1:3.0.7-1build1 ---- Configuration files on RedHat 9.0 ---- /etc/audit/audit.rules ---- -D -b 8192 -f 1 -w / -p w -k TEST --backlog_wait_time 60000 ---- /etc/audit/auditd.conf ---- local_events = yes write_logs = yes log_file = /var/log/audit/audit.log log_group = root log_format = ENRICHED flush = INCREMENTAL_ASYNC freq = 50 max_log_file = 8 num_logs = 5 priority_boost = 4 name_format = NONE ##name = mydomain max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG verify_email = yes action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND use_libwrap = yes ##tcp_listen_port = 60 tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 transport = TCP krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key distribute_network = no q_depth = 1200 overflow_action = SYSLOG max_restarts = 10 plugin_dir = /etc/audit/plugins.d end_of_event_timeout = 2 ---- ---- As suggested by Steve, I checked also the following rules independently instead of '-w / -p w -k TEST'. -a always,exit -F arch=b64 -F dir=/root/dir1/dir2/dir3/ -k TEST -a always,exit -F arch=b64 -F path=/root/dir1/dir2/dir3/file1 -k TEST -a always,exit -F arch=b64 -S unlinkat -k TEST And I always get the same results like in watch '-w / -p w' case. There is still not enough information in the 'audit.log' file to reconstruct the full path to the deleted file. On the other hand, the goal is to monitor events across the file system. There is no way to predict what will be deleted. Therefore, applying rules to specific directories and files seems to be the wrong way to go. ---- /Jarek. jjozwiak (at) catalogicsoftware.com
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit