2:53 a.m.
Ondra N. <ondrysak(a)gmail.com>
po 8. 4. 14:51 (před 3 dny)
komu: Paul
Hello,
below I enclose a reproducer script, hope it helps.
#!/bin/bash
auditctl -D -k test_key
mkdir -p
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw
auditctl -w /tmp/random_folder -p wa -k test_key
rm -f
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
echo "hello" >
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file
python3 <<< "import os;
os.rename('/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file','/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file')"
ausearch -i -k test_key | tail
ausearch -k test_key --extra-obj2 --format csv | tail | grep renamed
Will hopefully try different kernel/userspace combinations later this week.
Another thing I noticed is that for me when the file already exists it
works as expected.
Commenting out the line `rm -f
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file`
from the reproducer script yields expected result after second run.
There is a difference in the output in raw that is prolly responsible for
the field being empty.
WORKS OK file existed before obj2 column is populated with correct value
type=PROCTITLE msg=audit(04/08/2019 13:09:54.586:232192) : proctitle=python3
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=4
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
inode=134231847 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=3
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=2
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file
inode=134231847 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=1
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=0
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/08/2019 13:09:54.586:232192) : cwd=/tmp
type=SYSCALL msg=audit(04/08/2019 13:09:54.586:232192) : arch=x86_64
syscall=rename success=yes exit=0 a0=0x7ffbd89d3510 a1=0x7ffbd89d35a8
a2=0xffffffff a3=0x7ffd9b558b20 items=5 ppid=27771 pid=27779 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts0 ses=10320 comm=python3
exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test_key
DOES NOT WORK OK file did not exist before and obj2 column remains empty
type=PROCTITLE msg=audit(04/08/2019 13:12:12.685:232285) : proctitle=python3
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=3
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=2
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file
inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=1
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=0
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/08/2019 13:12:12.685:232285) : cwd=/tmp
type=SYSCALL msg=audit(04/08/2019 13:12:12.685:232285) : arch=x86_64
syscall=rename success=yes exit=0 a0=0x7f52063c2510 a1=0x7f52063c25a8
a2=0xffffffff a3=0x7ffdb7446700 items=4 ppid=28069 pid=28078 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts0 ses=10320 comm=python3
exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test_key
Hope it helps
ne 7. 4. 2019 v 10:18 odesílatel Steve Grubb <sgrubb(a)redhat.com> napsal:
On Fri, 5 Apr 2019 16:30:32 +0200
"Ondra N." <ondrysak(a)gmail.com> wrote:
> it seems that the option fails to display the second object for rename
> action.
To catch everyone up, it turns out this is audit-2.8.4 and kernel
3.10.0-957.el7.x86_64.
> interactive format correctly show renaming the file
> 5M2w0d4eagxxig9KYM5.file to DyTbnH12dMV1nQsOxU.file
>
> ausearch -k test-ra -i
>
> type=PROCTITLE msg=audit(04/05/2019 13:57:22.489:110873) :
> proctitle=python3 populate_fs.py rename
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=3
>
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/DyTbnH12dMV1nQsOxU.file
> inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
There seems to be a missing DELETE path record here. What I see on my
system is 2 PARENT records, 2 DELETE records, and 1 CREATE record. The
two parents is for both items (obj1 & obj2). Then both objects get
deleted, and we are left with 1 object being created. This last create
record is what OBJ2 would be. Without the second DELETE, we wind
up on the wrong record looking for 'name'.
Looking at the inodes, what is missing is the DELETE for the inode that
is being replaced with the tmp copy. Funny thing is, this works fine
for me on the same user space and kernel.
Can you pass along a simplified reproducer? Shell script would be
preferred.
Thanks,
-Steve
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=2
>
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file
> inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=1
>
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=0
>
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(04/05/2019 13:57:22.489:110873) :
> cwd=/push_agent/src/main/python/scripts
> type=SYSCALL msg=audit(04/05/2019 13:57:22.489:110873) : arch=x86_64
> syscall=rename success=yes exit=0 a0=0x7f3259691b78 a1=0x7f3259691d70
> a2=0xffffffff a3=0x7f3263f160e0 items=4 ppid=27421 pid=7653 auid=root
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=pts1 ses=5549 comm=python3
> exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test-ra
>
> but csv format shows just empty column where the info about the
> object2 should be.
>
> ausearch -k test-ra --format csv --extra-obj2
>
>
,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6
>
> is this desired behaviour?