Newer versions of audit missing information?

Mark Gardner mark at klas.com
Mon Feb 28 17:29:54 UTC 2022 

I have setup a watch on specific directories for changes so we can report to our auditors about deployments being done by the proper staff members.
So for example -w /root/test -p ra -k test.
If I copied / removed a file in that directory, I would get audit results similar to the following:


[root at localhost test]# ausearch -k test --format text -ts recent 


At 14:10:55 02/28/2022 root successfully opened-file /root/test/./hosts using /usr/bin/cp

At 14:11:37 02/28/2022 root successfully deleted /root/test/hosts using /usr/bin/rm


This worked fine in CentOS 7 and CentOS 8 (not stream).

Testing with CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 also worked until I updated the audit package


[root at localhost test]# dnf list installed audit 


Installed Packages

audit.x86_64              3.0-0.17.20191104git1c2f876.el8              @anaconda



[root at localhost test]# ausearch -k test --format text -ts recent 


At 14:10:55 02/28/2022 root successfully opened-file /root/test/./hosts using /usr/bin/cp

At 14:11:37 02/28/2022 root successfully deleted /root/test/hosts using /usr/bin/rm



[root at localhost test]# dnf list audit 

CentOS Stream 8 - AppStream                     7.7 MB/s |  20 MB     00:02

CentOS Stream 8 - BaseOS                        9.5 MB/s |  19 MB     00:02

CentOS Stream 8 - Extras                         52 kB/s |  18 kB     00:00

Installed Packages

audit.x86_64              3.0-0.17.20191104git1c2f876.el8              @anaconda

Available Packages

audit.x86_64              3.0.7-1.el8                                  baseos

After Upgrade:[root at localhost test]# auditctl -l 

No rules

[root at localhost test]# auditctl -w /root/test -p wa -k test

[root at localhost test]# cp /etc/hosts .

[root at localhost test]# rm hosts

rm: remove regular file 'hosts'? y

[root at localhost test]# ausearch -k test --format text -ts recent



At 14:10:55 02/28/2022 root successfully opened-file  using /usr/bin/cp

At 14:11:37 02/28/2022 root successfully deleted  using /usr/bin/rm

At 14:13:16 02/28/2022 system, acting as root, successfully remove_rule test using /usr/sbin/auditctl

At 14:14:11 02/28/2022 root successfully add_rule test using /usr/sbin/auditctl

At 14:14:23 02/28/2022 root successfully opened-file  using /usr/bin/cp

At 14:14:30 02/28/2022 root successfully deleted  using /usr/bin/rm

[root at localhost test]#

Notice no information on what file was copied / removed?



Even the earlier log entries don't show what file was copied / removed.

If I downgrade to audit 3.0-0.17, everything is there.

Is there another way to monitor a directory so we know which files were modified / removed?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20220228/dbce549f/attachment.htm>

More information about the Linux-audit mailing list