option --extra-obj2 does not seem to work
Ondra N.
ondrysak at gmail.com
Thu Apr 11 07:53:33 UTC 2019
Ondra N. <ondrysak at gmail.com>
po 8. 4. 14:51 (před 3 dny)
komu: Paul
Hello,
below I enclose a reproducer script, hope it helps.
#!/bin/bash
auditctl -D -k test_key
mkdir -p
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw
auditctl -w /tmp/random_folder -p wa -k test_key
rm -f
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
echo "hello" >
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file
python3 <<< "import os;
os.rename('/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file','/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file')"
ausearch -i -k test_key | tail
ausearch -k test_key --extra-obj2 --format csv | tail | grep renamed
Will hopefully try different kernel/userspace combinations later this week.
Another thing I noticed is that for me when the file already exists it
works as expected.
Commenting out the line `rm -f
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file`
from the reproducer script yields expected result after second run.
There is a difference in the output in raw that is prolly responsible for
the field being empty.
WORKS OK file existed before obj2 column is populated with correct value
type=PROCTITLE msg=audit(04/08/2019 13:09:54.586:232192) : proctitle=python3
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=4
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
inode=134231847 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=3
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=2
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file
inode=134231847 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=1
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=0
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/08/2019 13:09:54.586:232192) : cwd=/tmp
type=SYSCALL msg=audit(04/08/2019 13:09:54.586:232192) : arch=x86_64
syscall=rename success=yes exit=0 a0=0x7ffbd89d3510 a1=0x7ffbd89d35a8
a2=0xffffffff a3=0x7ffd9b558b20 items=5 ppid=27771 pid=27779 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts0 ses=10320 comm=python3
exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test_key
DOES NOT WORK OK file did not exist before and obj2 column remains empty
type=PROCTITLE msg=audit(04/08/2019 13:12:12.685:232285) : proctitle=python3
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=3
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=2
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file
inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=1
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=0
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/08/2019 13:12:12.685:232285) : cwd=/tmp
type=SYSCALL msg=audit(04/08/2019 13:12:12.685:232285) : arch=x86_64
syscall=rename success=yes exit=0 a0=0x7f52063c2510 a1=0x7f52063c25a8
a2=0xffffffff a3=0x7ffdb7446700 items=4 ppid=28069 pid=28078 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts0 ses=10320 comm=python3
exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test_key
Hope it helps
ne 7. 4. 2019 v 10:18 odesílatel Steve Grubb <sgrubb at redhat.com> napsal:
> On Fri, 5 Apr 2019 16:30:32 +0200
> "Ondra N." <ondrysak at gmail.com> wrote:
> > it seems that the option fails to display the second object for rename
> > action.
>
> To catch everyone up, it turns out this is audit-2.8.4 and kernel
> 3.10.0-957.el7.x86_64.
>
> > interactive format correctly show renaming the file
> > 5M2w0d4eagxxig9KYM5.file to DyTbnH12dMV1nQsOxU.file
> >
> > ausearch -k test-ra -i
> >
> > type=PROCTITLE msg=audit(04/05/2019 13:57:22.489:110873) :
> > proctitle=python3 populate_fs.py rename
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=3
> >
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/DyTbnH12dMV1nQsOxU.file
> > inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> > objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
>
> There seems to be a missing DELETE path record here. What I see on my
> system is 2 PARENT records, 2 DELETE records, and 1 CREATE record. The
> two parents is for both items (obj1 & obj2). Then both objects get
> deleted, and we are left with 1 object being created. This last create
> record is what OBJ2 would be. Without the second DELETE, we wind
> up on the wrong record looking for 'name'.
>
> Looking at the inodes, what is missing is the DELETE for the inode that
> is being replaced with the tmp copy. Funny thing is, this works fine
> for me on the same user space and kernel.
>
> Can you pass along a simplified reproducer? Shell script would be
> preferred.
>
> Thanks,
> -Steve
>
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=2
> >
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file
> > inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> > objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=1
> >
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> > inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> > objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=0
> >
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> > inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> > objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=CWD msg=audit(04/05/2019 13:57:22.489:110873) :
> > cwd=/push_agent/src/main/python/scripts
> > type=SYSCALL msg=audit(04/05/2019 13:57:22.489:110873) : arch=x86_64
> > syscall=rename success=yes exit=0 a0=0x7f3259691b78 a1=0x7f3259691d70
> > a2=0xffffffff a3=0x7f3263f160e0 items=4 ppid=27421 pid=7653 auid=root
> > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> > fsgid=root tty=pts1 ses=5549 comm=python3
> > exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test-ra
> >
> > but csv format shows just empty column where the info about the
> > object2 should be.
> >
> > ausearch -k test-ra --format csv --extra-obj2
> >
> >
> ,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6
> >
> > is this desired behaviour?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20190411/600c9d9a/attachment.htm>
More information about the Linux-audit
mailing list