Hi everyone,
I am new here, so I am not exactly sure if this is the right place to ask this. I apologise in advance if this is not the right place.
I would like to ask if anyone has encountered the issue below.
I am trying to track a set of file accesses system calls in a Linux system (for experimental purposes) and used the following subset of rules with the audit.rules file.
-a exit,always -F arch=b64 -S creat -S read -S write -S rename -S open -S close
What I noticed was that for the open system call, when opening an existing file for writing purpose, the file name would result in a ‘null’ value like shown:
type=SYSCALL msg=audit(1423018198.026:20826531): arch=c000003e syscall=2 success=yes exit=4 a0=400865 a1=241 a2=1b6 a3=0 items=2 ppid=9093 pid=9169 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3805 comm="readfile" exe="/root/prov_project/script/readfile" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1423018198.026:20826531): cwd="/root/prov_project/script"
type=PATH msg=audit(1423018198.026:20826531): item=0 name="/root/prov_project/script" inode=311564 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT
type=PATH msg=audit(1423018198.026:20826531): item=1 name=(null) inode=269089 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL
However, opening the same file with read only mode or opening a non-existing file (which in that case the open system call would create the file) would result in the file name being captured as shown:
type=SYSCALL msg=audit(1423018196.556:20826486): arch=c000003e syscall=2 success=yes exit=4 a0=400865 a1=241 a2=1b6 a3=0 items=2 ppid=9093 pid=9168 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3805 comm="readfile" exe="/root/prov_project/script/readfile" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1423018196.556:20826486): cwd="/root/prov_project/script"
type=PATH msg=audit(1423018196.556:20826486): item=0 name="/root/prov_project/script" inode=311564 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT
type=PATH msg=audit(1423018196.556:20826486): item=1 name="sample_text.txt" inode=269089 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=CREATE
Hence the question: Is this an intended feature or a bug?
Appreciate if anyone can shed some light on this.
To reproduce: write to a non-existing file first, close it and then open and write to the same file again.
I am running version 2.3.7-5 of the audit framework and on CentOS 6.4 (kernel version 2.6.32-431)
Thank you.
Cheers,
Alan