Full path of the filename not showing up in audit logs for some entries in aureport -f
Steve Grubb
sgrubb at redhat.com
Tue Mar 28 02:22:18 UTC 2017
On Thursday, March 9, 2017 2:30:33 PM EDT Steve Grubb wrote:
> Hello,
>
> On Monday, February 27, 2017 9:05:18 PM EST Kaptaan wrote:
> > I have set some file monitoring audit rules on a directory and the audit
> > log shows some entries like
> >
> > ausearch -if $LOGDIR -a 448424 -i
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> > ----
> > type=PATH msg=audit(02/27/2017 13:50:13.917:448424) : item=1
> > name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG.tax.41.tmp1
> > inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> > nametype=CREATE type=PATH msg=audit(02/27/2017 13:50:13.917:448424) :
> > item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD
> > msg=audit(02/27/2017 13:50:13.917:448424) :
> > cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL
> > msg=audit(02/27/2017 13:50:13.917:448424) : arch=i386 syscall=open
> > success=yes exit=5 a0=0x8be40c0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0
> > items=2 ppid=635 pid=677 auid=rmoroncelli uid=akatekar gid=mfradmin
> > euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin
> > fsgid=mfradmin tty=(none) ses=219531 comm=EXECPGM
> > exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM key=DFS_DATA
> >
> > ausearch -if $LOGDIR -a 448424 --raw | aureport -i -f
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> >
> > File Report
> > ===============================================
> > # date time file syscall success exe auid event
> > ===============================================
> > 1. 02/27/2017 13:50:13 /qdap01/tax/data/seqfiles/DFS/ open yes
> > /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/EXECPGM rmoroncelli 448424
> >
> > As you can see the full path of the file is available for the audit event,
> > but yet the aureport -f does not show the complete file name. Any idea why
> > this is happening and what should I do to get the full path as given in
> > item1. It seems for some reason, it always gives the filename in item0.
>
> A long time ago, the kernel only produced one PATH record. So, aureport
> printed one PATH record. Ausearch and Aureport share the same record parser.
> At some point in the past, it was decided that we are going to get multiple
> PATH records that describe different things about the event. So, work was
> done in the parser to locate all of the pieces for searching. But work was
> not done on the aureport file report. So, what you are seing is the first
> PATH record which is the directory.
>
> > I have another entry where the inode is present but the name is (null).
> >
> > ausearch -if $LOGDIR -a 448425 -i
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> > ----
> > type=PATH msg=audit(02/27/2017 13:50:14.862:448425) : item=1 name=(null)
> > inode=6581 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> > nametype=NORMAL type=PATH msg=audit(02/27/2017 13:50:14.862:448425) :
> > item=0 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD
> > msg=audit(02/27/2017 13:50:14.862:448425) :
> > cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL
> > msg=audit(02/27/2017 13:50:14.862:448425) : arch=i386 syscall=open
> > success=yes exit=5 a0=0x914552a a1=O_WRONLY|O_CREAT|O_TRUNC a2=0777 a3=0x0
> > items=2 ppid=677 pid=803 auid=rmoroncelli uid=akatekar gid=mfradmin
> > euid=akatekar suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin
> > fsgid=mfradmin tty=(none) ses=219531 comm=IEBGENER
> > exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER key=DFS_DATA
> >
> > ausearch -if $LOGDIR -a 448425 --raw | aureport -i -f
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> >
> > File Report
> > ===============================================
> > # date time file syscall success exe auid event
> > ===============================================
> > 1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ open yes
> > /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/IEBGENER rmoroncelli 448425
> >
> > Why is this coming as null for item1?
>
> I couldn't tell you the exact reason, but its something along the lines of
> the name was not available. You might say, isn't the name one of the
> parameters passed to the open syscall? And I'd say yep. Maybe one of these
> days it will get used when path name resolution fails.
>
> > Another entry has a rename SYSCALL, which comes out
> >
> > ausearch -if $LOGDIR -a 448427 -i
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> > ----
> > type=PATH msg=audit(02/27/2017 13:50:14.939:448427) : item=3
> > name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_08 inode=6703
> > dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> > nametype=CREATE type=PATH msg=audit(02/27/2017 13:50:14.939:448427) :
> > item=2 name=/qdap01/tax/data/seqfiles/DFS/PPDFA.PSCM1.TESTAK.GDG_07
> > inode=6703 dev=fd:33 mode=file,777 ouid=akatekar ogid=mfradmin rdev=00:00
> > nametype=DELETE type=PATH msg=audit(02/27/2017 13:50:14.939:448427) :
> > item=1 name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=PATH
> > msg=audit(02/27/2017 13:50:14.939:448427) : item=0
> > name=/qdap01/tax/data/seqfiles/DFS/ inode=2 dev=fd:33 mode=dir,770
> > ouid=mfradmin ogid=mfradmin rdev=00:00 nametype=PARENT type=CWD
> > msg=audit(02/27/2017 13:50:14.939:448427) :
> > cwd=/qdap01/tax/users/akatekar/mbmwk/1488225013.635 type=SYSCALL
> > msg=audit(02/27/2017 13:50:14.939:448427) : arch=i386 syscall=rename
> > success=yes exit=0 a0=0xfff3b160 a1=0xfff3ad60 a2=0x7 a3=0xfff3b160
> > items=4
> > ppid=840 pid=843 auid=rmoroncelli uid=akatekar gid=mfradmin euid=akatekar
> > suid=akatekar fsuid=akatekar egid=mfradmin sgid=mfradmin fsgid=mfradmin
> > tty=(none) ses=219531 comm=gdgen
> > exe=/qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen key=DFS_DATA
> >
> >
> > ausearch -if $LOGDIR -a 448427 -r | aureport -i -f
> > NOTE - using logs in /qdap01/tax/logs/audit.log
> >
> > File Report
> > ===============================================
> > # date time file syscall success exe auid event
> > ===============================================
> > 1. 02/27/2017 13:50:14 /qdap01/tax/data/seqfiles/DFS/ rename yes
> > /qdap01/tax/ebmnode/bpe12.7.9/public/utilm/gdgen rmoroncelli 448427
> >
> > How can we get both the filenames (in item3 and item2) in the aureport?
>
> Aureport has never supported that. I'd say that perhaps it should be changed
> to skip parent records if the other ones don't have (null).
This has been put into the next release which should go out tomorrow. It will
now pick the first non-parent record. This should be closer to what you want.
-Steve
> > Finally, can we have uid come out in the aureport along with auid? Any
> > option/arguments that might help?
>
> Nope. That would take reworking the output of aureport.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list