<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">
Hi,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0 elementToProof">this issue has been already reported by me at github linux-audit / audit-userspace issues site, but Steve Grubb suggested to write here
<span class="HwtZe" lang="en"><span class="jCAhz ChMk0b"><span class="ryNqvb ContentPasted2">to report the issue to the kernel part developers.</span></span></span><br>
</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0 elementToProof">Just in case original thread You can find under this link:</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">https://github.com/linux-audit/audit-userspace/issues/298</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">entitled:</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">The directory removing loses a fraction of path.</div>
<div><br class="ContentPasted0">
</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">Problem description.</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">(Slightly changed regarding to the original thread.)</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">When deleting a directory, there is not enough information in the 'audit.log' file to reconstruct the full path to the deleted file as well as to the deleted directory.</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">When the following sequence of commands is run in bash, we get the information presented below in the 'audit.log' file. Apart from two cases, all others do not allow to reconstruct the full path from records 'CWD' and 'PATH'.</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">command sequence</div>
<div class="ContentPasted0">----</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"># cd /root</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"># mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1</div>
<div class="ContentPasted0"># rm -rf dir1/dir2</div>
<div class="ContentPasted0"># ausearch -i -ts 02/20/2023 09:37:00 -te 02/20/2023 09:38:00 > relative_without_trailing_slash.txt</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"># mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1</div>
<div class="ContentPasted0"># rm -rf dir1/dir2/</div>
<div class="ContentPasted0"># ausearch -i -ts 02/20/2023 09:38:00 -te 02/20/2023 09:39:00 > relative_with_trailing_slash.txt</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"># mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1</div>
<div class="ContentPasted0"># rm -rf /root/dir1/dir2/</div>
<div class="ContentPasted0"># ausearch -i -ts 02/20/2023 09:39:00 -te 02/20/2023 09:40:00 > absolute_with_trailing_slash.txt</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0"># mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1</div>
<div class="ContentPasted0"># rm -rf /root/dir1/dir2</div>
<div class="ContentPasted0"># ausearch -i -ts 02/20/2023 09:40:00 -te 02/20/2023 09:41:00 > absolute_without_trailing_slash.txt</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">results</div>
<div class="ContentPasted0">----</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0"># cat relative_without_trailing_slash.txt # (edited)</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf dir1/dir2</div>
<div class="ContentPasted0">type=PATH : item=1 name=file1 nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=0 name=/root nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf dir1/dir2</div>
<div class="ContentPasted0">type=PATH : item=1 name=dir3 nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=0 name=/root nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf dir1/dir2</div>
<div class="ContentPasted0">type=PATH : item=1 name=dir1/dir2 nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=0 name=dir1/ nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0"># cat relative_with_trailing_slash.txt # (edited)</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf dir1/dir2/</div>
<div class="ContentPasted0">type=PATH : item=1 name=file1 nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=0 name=/root nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf dir1/dir2/</div>
<div class="ContentPasted0">type=PATH : item=1 name=dir3 nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=0 name=/root nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf dir1/dir2/</div>
<div class="ContentPasted0">type=PATH : item=2 name=(null) nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=1 name=(null) nametype=PARENT</div>
<div class="ContentPasted0">type=PATH : item=0 name=dir1/ nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0"># cat absolute_with_trailing_slash.txt # (edited)</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2/</div>
<div class="ContentPasted0">type=PATH : item=1 name=file1 nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=0 name=/root nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2/</div>
<div class="ContentPasted0">type=PATH : item=1 name=dir3 nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=0 name=/root nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2/</div>
<div class="ContentPasted0">type=PATH : item=2 name=(null) nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=1 name=(null) nametype=PARENT</div>
<div class="ContentPasted0">type=PATH : item=0 name=/root/dir1/ nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0 elementToProof"># cat absolute_without_trailing_slash.txt # (edited)</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2</div>
<div class="ContentPasted0">type=PATH : item=1 name=file1 nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=0 name=/root nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2</div>
<div class="ContentPasted0">type=PATH : item=1 name=dir3 nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=0 name=/root nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2</div>
<div class="ContentPasted0">type=PATH : item=1 name=/root/dir1/dir2 nametype=DELETE</div>
<div class="ContentPasted0">type=PATH : item=0 name=/root/dir1/ nametype=PARENT</div>
<div class="ContentPasted0">type=CWD : cwd=/root</div>
<div class="ContentPasted0">----</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">Tested on</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">RedHat 9.0, Alma 9.0</div>
<div class="ContentPasted0">kernel - 5.14.0-70.13.1.el9_0.x86_6</div>
<div class="ContentPasted0">packages - audit.x86_64, audit-libs.x86_64 - 3.0.7-103.el9</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">RedHat 8.6, Alma 8.6</div>
<div class="ContentPasted0">kernel - 4.18.0-372.9.1.el8.x86_64</div>
<div class="ContentPasted0">packages - audit.x86_64, audit-libs.x86_64 - 3.0.7-4.el8</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">RedHat 7.9, Centos 7.9</div>
<div class="ContentPasted0">kernel - 3.10.0-1160.80.1.el7.x86_64</div>
<div class="ContentPasted0">packages - audit.x86_64, audit-libs.x86_64 - 2.8.5-4.el7</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">Ubuntu 22.04.2</div>
<div class="ContentPasted0">kernel - 5.15.0-60-generic</div>
<div class="ContentPasted0">packages - auditd, libaudit-common, libaudit-dev:amd64, libaudit1:amd64 -1:3.0.7-1build1</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">----<br>
</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">Configuration files on RedHat 9.0</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">/etc/audit/audit.rules</div>
<div class="ContentPasted0">----</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">-D</div>
<div class="ContentPasted0">-b 8192</div>
<div class="ContentPasted0">-f 1</div>
<div class="ContentPasted0">-w / -p w -k TEST</div>
<div class="ContentPasted0">--backlog_wait_time 60000</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">/etc/audit/auditd.conf</div>
<div class="ContentPasted0">----</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">local_events = yes</div>
<div class="ContentPasted0">write_logs = yes</div>
<div class="ContentPasted0">log_file = /var/log/audit/audit.log</div>
<div class="ContentPasted0">log_group = root</div>
<div class="ContentPasted0">log_format = ENRICHED</div>
<div class="ContentPasted0">flush = INCREMENTAL_ASYNC</div>
<div class="ContentPasted0">freq = 50</div>
<div class="ContentPasted0">max_log_file = 8</div>
<div class="ContentPasted0">num_logs = 5</div>
<div class="ContentPasted0">priority_boost = 4</div>
<div class="ContentPasted0">name_format = NONE</div>
<div class="ContentPasted0">##name = mydomain</div>
<div class="ContentPasted0">max_log_file_action = ROTATE</div>
<div class="ContentPasted0">space_left = 75</div>
<div class="ContentPasted0">space_left_action = SYSLOG</div>
<div class="ContentPasted0">verify_email = yes</div>
<div class="ContentPasted0">action_mail_acct = root</div>
<div class="ContentPasted0">admin_space_left = 50</div>
<div class="ContentPasted0">admin_space_left_action = SUSPEND</div>
<div class="ContentPasted0">disk_full_action = SUSPEND</div>
<div class="ContentPasted0">disk_error_action = SUSPEND</div>
<div class="ContentPasted0">use_libwrap = yes</div>
<div class="ContentPasted0">##tcp_listen_port = 60</div>
<div class="ContentPasted0">tcp_listen_queue = 5</div>
<div class="ContentPasted0">tcp_max_per_addr = 1</div>
<div class="ContentPasted0">##tcp_client_ports = 1024-65535</div>
<div class="ContentPasted0">tcp_client_max_idle = 0</div>
<div class="ContentPasted0">transport = TCP</div>
<div class="ContentPasted0">krb5_principal = auditd</div>
<div class="ContentPasted0">##krb5_key_file = /etc/audit/audit.key</div>
<div class="ContentPasted0">distribute_network = no</div>
<div class="ContentPasted0">q_depth = 1200</div>
<div class="ContentPasted0">overflow_action = SYSLOG</div>
<div class="ContentPasted0">max_restarts = 10</div>
<div class="ContentPasted0">plugin_dir = /etc/audit/plugins.d</div>
<div class="ContentPasted0">end_of_event_timeout = 2</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">----</div>
<div class="ContentPasted0">----</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0 elementToProof">As suggested by Steve, I checked also the following rules independently instead of '-w / -p w -k TEST'.</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">-a always,exit -F arch=b64 -F dir=/root/dir1/dir2/dir3/ -k TEST</div>
<div class="ContentPasted0">-a always,exit -F arch=b64 -F path=/root/dir1/dir2/dir3/file1 -k TEST</div>
<div class="ContentPasted0">-a always,exit -F arch=b64 -S unlinkat -k TEST</div>
<div><br class="ContentPasted0">
</div>
<div class="ContentPasted0">And I always get the same results like in watch '-w / -p w' case. There is still not enough information in the 'audit.log' file to reconstruct the full path to the deleted file.</div>
<div><br class="ContentPasted0">
</div>
On the other hand, the goal is to monitor events across the file system. There is no way to predict what will be deleted. Therefore, applying rules to specific directories and files seems to be the wrong way to go.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">
----<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0">
/Jarek.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof ContentPasted0 ContentPasted1">
jjozwiak (at) catalogicsoftware.com<br>
</div>
</body>
</html>