Ondra N. <
ondrysak@gmail.com>
po 8. 4. 14:51 (před 3 dny)
komu: Paul
Hello,
below I enclose a reproducer script, hope it helps.
#!/bin/bash
auditctl -D -k test_key
mkdir -p /tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw
auditctl -w /tmp/random_folder -p wa -k test_key
rm -f /tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
echo "hello" > /tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file
python3 <<< "import os; os.rename('/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file','/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file')"
ausearch -i -k test_key | tail
ausearch -k test_key --extra-obj2 --format csv | tail | grep renamed
Will hopefully try different kernel/userspace combinations later this week.
Another thing I noticed is that for me when the file already exists it works as expected.
Commenting out the line `rm -f /tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file` from the reproducer script yields expected result after second run.
There is a difference in the output in raw that is prolly responsible for the field being empty.
WORKS OK file existed before obj2 column is populated with correct value
type=PROCTITLE msg=audit(04/08/2019 13:09:54.586:232192) : proctitle=python3
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=4 name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file inode=134231847 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=3 name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=2 name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file inode=134231847 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=1 name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/ inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=0 name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/ inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/08/2019 13:09:54.586:232192) : cwd=/tmp
type=SYSCALL msg=audit(04/08/2019 13:09:54.586:232192) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7ffbd89d3510 a1=0x7ffbd89d35a8 a2=0xffffffff a3=0x7ffd9b558b20 items=5 ppid=27771 pid=27779 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=10320 comm=python3 exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test_key
DOES NOT WORK OK file did not exist before and obj2 column remains empty
type=PROCTITLE msg=audit(04/08/2019 13:12:12.685:232285) : proctitle=python3
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=3 name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=2 name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=1 name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/ inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=0 name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/ inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/08/2019 13:12:12.685:232285) : cwd=/tmp
type=SYSCALL msg=audit(04/08/2019 13:12:12.685:232285) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7f52063c2510 a1=0x7f52063c25a8 a2=0xffffffff a3=0x7ffdb7446700 items=4 ppid=28069 pid=28078 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=10320 comm=python3 exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test_key