Newer versions of audit missing information?
Sergio Correia
scorreia at redhat.com
Wed Mar 9 21:49:15 UTC 2022
Hi,
On Mon, Feb 28, 2022 at 2:46 PM Mark Gardner <mark at klas.com> wrote:
>
[snip]
> [root at localhost test]# ausearch -k test --format text -ts recent
>
> At 14:10:55 02/28/2022 root successfully opened-file using /usr/bin/cp
> At 14:11:37 02/28/2022 root successfully deleted using /usr/bin/rm
> At 14:13:16 02/28/2022 system, acting as root, successfully remove_rule test using /usr/sbin/auditctl
> At 14:14:11 02/28/2022 root successfully add_rule test using /usr/sbin/auditctl
> At 14:14:23 02/28/2022 root successfully opened-file using /usr/bin/cp
> At 14:14:30 02/28/2022 root successfully deleted using /usr/bin/rm
> [root at localhost test]#
>
> Notice no information on what file was copied / removed?
>
I was able to reproduce this issue with 3.0.7 and submitted a fix that
was merged upstream as commit becc1c.
I now get the following output, with the patched version:
At 16:46:10 03/09/2022 root successfully add_rule test using /usr/sbin/auditctl
At 16:46:16 03/09/2022 root successfully opened-file /root/test/hosts
using /usr/bin/cp
At 16:46:23 03/09/2022 root successfully deleted /root/test/hosts
using /usr/bin/rm
With 3.0.7, I would get this:
At 16:46:10 03/09/2022 root successfully add_rule test using /usr/sbin/auditctl
At 16:46:16 03/09/2022 root successfully opened-file using /usr/bin/cp
At 16:46:23 03/09/2022 root successfully deleted using /usr/bin/rm
Best Regards,
Sergio
More information about the Linux-audit
mailing list