Re: Not seeing access denied audit messages in restricted subdirectories

On Fri, 8 Nov 2019 13:39:58 -0700 "John T Olson" <jtolson(a)us.ibm.com&gt; wrote: > Greetings, > > I have the following 2 audit rules set up: > > -a always,exit -F arch=b64 -S all -F exit=-EACCES -F dir=/gpfs/fs1 > -a always,exit -F arch=b64 -S all -F exit=-EPERM -F dir=/gpfs/fs1 > > I have a directory structure like the following: > > (13:15:26) zippleback-vm1:~ # ls -la /gpfs/fs1/test/ > total 257 > drwx------. 3 root root 4096 Nov 7 12:46 . > drwxr-xr-x. 15 root root 262144 Nov 7 12:50 .. > drwx------. 2 root root 4096 Nov 7 12:46 test2 > > Essentially, directory "/gpfs/fs1/test/" is owned by root and has > permissions 700. The subdirectory underneath it (with > path /gpfs/fs1/test/test2) is also owned by root and has permissions > 700. > > When I have a non-root user attempt to list the contents of directory > "/gpfs/fs1/test/" I receive an audit message for the denied access. > However, when the non-root user attempts to list the contents of the > subdirectory (/gpfs/fs1/test/test2), there is no audit message > generated. Does anyone know why this is and how I get audit messages > in both cases? Yes, the reason is because the path did not resolve so audit never saw it. This has been this way for quite some time. In the past, it was said because the path never resolved, a PATH record with all attributes could not be generated. I have mentioned to kernel maintainers, that the path is available as a syscall argument. While a full PATH record cannot be generated with file attributes, an abbreviated one could be generated. So, far...no one has saw this as a big enough problem to fix. Personally, I think it should be fixed.