2:31 p.m.
I'm trying to audit commands run in bash, including the commands arguments.
The proctitle parameter in the PROCTITLE record seems to be the most
reliable source to get that, but it does not contain exactly the "rm"
command I have typed on bash. Example:
1) rm /data/test2,txt -f
type=SYSCALL msg=audit(1616095201.302:40381): arch=c000003e syscall=263
success=yes exit=0 a0=ffffffffffffff9c a1=1b1f0c0 a2=0 a3=7fff3677a720
items=3 ppid=15954 pid=3398 auid=201327714 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2663 comm="rm"
exe="/usr/bin/rm"
key="filesystem_op"
type=CWD msg=audit(1616095201.302:40381): cwd="/home/aevangelista"
type=PATH msg=audit(1616095201.302:40381): item=0 name="/data/test2.txt"
inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00
objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0
cap_fver=0
type=PATH msg=audit(1616095201.302:40381): item=1 name="/data/" inode=64
dev=08:11 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1616095201.302:40381): item=2 name="/data/test2.txt"
inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00
objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0
cap_fver=0
type=PROCTITLE msg=audit(1616095201.302:40381):
proctitle=726D002D69002F646174612F74657374322E747874002D66
The proctitle value 726D002D69002F646174612F74657374322E747874002D66 is
equal to "rm-i /data/test2.txt -f" in ASCII. Where did this -i come from?
Is it expected?
Regards,
Alan
3:01 p.m.
On Thu, Mar 18, 2021 at 8:32 PM Alan Evangelista <alan.vitor(a)gmail.com> wrote:
I'm trying to audit commands run in bash, including the commands
arguments. The proctitle parameter in the PROCTITLE record seems to be the most reliable
source to get that, but it does not contain exactly the "rm" command I have
typed on bash. Example:
1) rm /data/test2,txt -f
type=SYSCALL msg=audit(1616095201.302:40381): arch=c000003e syscall=263 success=yes
exit=0 a0=ffffffffffffff9c a1=1b1f0c0 a2=0 a3=7fff3677a720 items=3 ppid=15954 pid=3398
auid=201327714 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2663
comm="rm" exe="/usr/bin/rm" key="filesystem_op"
type=CWD msg=audit(1616095201.302:40381): cwd="/home/aevangelista"
type=PATH msg=audit(1616095201.302:40381): item=0 name="/data/test2.txt"
inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1616095201.302:40381): item=1 name="/data/" inode=64
dev=08:11 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1616095201.302:40381): item=2 name="/data/test2.txt"
inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1616095201.302:40381):
proctitle=726D002D69002F646174612F74657374322E747874002D66
The proctitle value 726D002D69002F646174612F74657374322E747874002D66 is equal to
"rm-i /data/test2.txt -f" in ASCII. Where did this -i come from? Is it expected?
Perhaps a shell alias? What does `type rm` say?
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
3:12 p.m.
OM> Perhaps a shell alias? What does `type rm` say?
# type rm
rm is aliased to `rm -i'
Thanks!
On Thu, Mar 18, 2021 at 5:01 PM Ondrej Mosnacek <omosnace(a)redhat.com> wrote:
On Thu, Mar 18, 2021 at 8:32 PM Alan Evangelista
<alan.vitor(a)gmail.com>
wrote:
> I'm trying to audit commands run in bash, including the commands
arguments. The proctitle parameter in the PROCTITLE record seems to be the
most reliable source to get that, but it does not contain exactly the "rm"
command I have typed on bash. Example:
>
> 1) rm /data/test2,txt -f
>
> type=SYSCALL msg=audit(1616095201.302:40381): arch=c000003e syscall=263
success=yes exit=0 a0=ffffffffffffff9c a1=1b1f0c0 a2=0 a3=7fff3677a720
items=3 ppid=15954 pid=3398 auid=201327714 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2663 comm="rm"
exe="/usr/bin/rm"
key="filesystem_op"
> type=CWD msg=audit(1616095201.302:40381): cwd="/home/aevangelista"
> type=PATH msg=audit(1616095201.302:40381): item=0 name="/data/test2.txt"
inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00
objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0
cap_fver=0
> type=PATH msg=audit(1616095201.302:40381): item=1 name="/data/" inode=64
dev=08:11 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> type=PATH msg=audit(1616095201.302:40381): item=2 name="/data/test2.txt"
inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00
objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0
cap_fver=0
> type=PROCTITLE msg=audit(1616095201.302:40381):
proctitle=726D002D69002F646174612F74657374322E747874002D66
>
> The proctitle value 726D002D69002F646174612F74657374322E747874002D66 is
equal to "rm-i /data/test2.txt -f" in ASCII. Where did this -i come from?
Is it expected?
Perhaps a shell alias? What does `type rm` say?
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
3:13 p.m.
On 2021-03-18 16:31, Alan Evangelista wrote:
I'm trying to audit commands run in bash, including the commands
arguments.
The proctitle parameter in the PROCTITLE record seems to be the most
reliable source to get that, but it does not contain exactly the "rm"
command I have typed on bash. Example:
1) rm /data/test2,txt -f
type=SYSCALL msg=audit(1616095201.302:40381): arch=c000003e syscall=263 success=yes
exit=0 a0=ffffffffffffff9c a1=1b1f0c0 a2=0 a3=7fff3677a720 items=3 ppid=15954 pid=3398
auid=201327714 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2663
comm="rm" exe="/usr/bin/rm" key="filesystem_op"
type=CWD msg=audit(1616095201.302:40381): cwd="/home/aevangelista"
type=PATH msg=audit(1616095201.302:40381): item=0 name="/data/test2.txt"
inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1616095201.302:40381): item=1 name="/data/" inode=64
dev=08:11 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1616095201.302:40381):
item=2 name="/data/test2.txt" inode=38030531 dev=08:11 mode=0100644 ouid=0
ogid=0 rdev=00:00 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0
cap_fver=0
type=PROCTITLE msg=audit(1616095201.302:40381):
proctitle=726D002D69002F646174612F74657374322E747874002D66
The proctitle value 726D002D69002F646174612F74657374322E747874002D66 is
equal to "rm-i /data/test2.txt -f" in ASCII. Where did this -i come from?
Is it expected?
At first, this looks like something left over from the "-i" parameter
supplied to ausearch to interpret the values in the audit records to
give you that plaintext.
But more likely, it is an alias in ~/.bashrc, ~/.bash-profile,
~/.profile, /etc/bashrc, /etc/bash.bashrc, /etc/profile,
/etc/profile.d/* that is nannying you to be sure you meant to delete
what you are asking to delete.
This can be overridden with -f. rm(1) options preceed the filespec.
Alan
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
3:33 p.m.
Side note:
I found on some previous versions of CentOS 7 that if you audit a system call that often
comes before the exec() system call (e.g., auditing close() which is called a number of
times after a fork but before an exec), the PROCTITLE field will be for the parent process
and not the new process.
I am guessing that PROCTITLE is set at the first audit record (e.g., close() ) and isn’t
reset later such as when the exec() is called.
(I haven’t tested this on recent versions of CentOS or RHEL)
Todd
On Mar 18, 2021, at 1:13 PM, Richard Guy Briggs
<rgb(a)redhat.com> wrote:
On 2021-03-18 16:31, Alan Evangelista wrote:
> I'm trying to audit commands run in bash, including the commands arguments.
> The proctitle parameter in the PROCTITLE record seems to be the most
> reliable source to get that, but it does not contain exactly the "rm"
> command I have typed on bash. Example:
>
> 1) rm /data/test2,txt -f
>
> type=SYSCALL msg=audit(1616095201.302:40381): arch=c000003e syscall=263 success=yes
exit=0 a0=ffffffffffffff9c a1=1b1f0c0 a2=0 a3=7fff3677a720 items=3 ppid=15954 pid=3398
auid=201327714 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2663
comm="rm" exe="/usr/bin/rm" key="filesystem_op"
> type=CWD msg=audit(1616095201.302:40381): cwd="/home/aevangelista"
> type=PATH msg=audit(1616095201.302:40381): item=0 name="/data/test2.txt"
inode=38030531 dev=08:11 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> type=PATH msg=audit(1616095201.302:40381): item=1 name="/data/" inode=64
dev=08:11 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1616095201.302:40381):
item=2 name="/data/test2.txt" inode=38030531 dev=08:11 mode=0100644 ouid=0
ogid=0 rdev=00:00 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0
cap_fver=0
> type=PROCTITLE msg=audit(1616095201.302:40381):
proctitle=726D002D69002F646174612F74657374322E747874002D66
>
> The proctitle value 726D002D69002F646174612F74657374322E747874002D66 is
> equal to "rm-i /data/test2.txt -f" in ASCII. Where did this -i come from?
> Is it expected?
At first, this looks like something left over from the "-i" parameter
supplied to ausearch to interpret the values in the audit records to
give you that plaintext.
But more likely, it is an alias in ~/.bashrc, ~/.bash-profile,
~/.profile, /etc/bashrc, /etc/bash.bashrc, /etc/profile,
/etc/profile.d/* that is nannying you to be sure you meant to delete
what you are asking to delete.
This can be overridden with -f. rm(1) options preceed the filespec.
> Alan
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
1375
days inactive
1375
days old
linux-audit@lists.linux-audit.osci.io
4 comments
4 participants
participants (4)
-
Alan Evangelista -
Ondrej Mosnacek -
Richard Guy Briggs -
Todd Heberlein