Re: option --extra-obj2 does not seem to work
On Fri, 5 Apr 2019 16:30:32 +0200
"Ondra N." <ondrysak(a)gmail.com> wrote:
it seems that the option fails to display the second object for
rename
action.
To catch everyone up, it turns out this is audit-2.8.4 and kernel
3.10.0-957.el7.x86_64.
interactive format correctly show renaming the file
5M2w0d4eagxxig9KYM5.file to DyTbnH12dMV1nQsOxU.file
ausearch -k test-ra -i
type=PROCTITLE msg=audit(04/05/2019 13:57:22.489:110873) :
proctitle=python3 populate_fs.py rename
type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=3
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/DyTbnH12dMV1nQsOxU.file
inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
There seems to be a missing DELETE path record here. What I see on my
system is 2 PARENT records, 2 DELETE records, and 1 CREATE record. The
two parents is for both items (obj1 & obj2). Then both objects get
deleted, and we are left with 1 object being created. This last create
record is what OBJ2 would be. Without the second DELETE, we wind
up on the wrong record looking for 'name'.
Looking at the inodes, what is missing is the DELETE for the inode that
is being replaced with the tmp copy. Funny thing is, this works fine
for me on the same user space and kernel.
Can you pass along a simplified reproducer? Shell script would be
preferred.
Thanks,
-Steve
type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=2
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file
inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=1
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=0
name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/05/2019 13:57:22.489:110873) :
cwd=/push_agent/src/main/python/scripts
type=SYSCALL msg=audit(04/05/2019 13:57:22.489:110873) : arch=x86_64
syscall=rename success=yes exit=0 a0=0x7f3259691b78 a1=0x7f3259691d70
a2=0xffffffff a3=0x7f3263f160e0 items=4 ppid=27421 pid=7653 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts1 ses=5549 comm=python3
exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test-ra
but csv format shows just empty column where the info about the
object2 should be.
ausearch -k test-ra --format csv --extra-obj2
,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6
is this desired behaviour?