-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Q: why does the kernel audit module not record the absolute path of the file #147
Comments
There are two audit records in that single audit event, which when combined provide the full path to the file. The first audit record indicates the parent directory:
... and the second indicates the file being deleted:
|
The above response should answer your question so I'm going to close this issue, but if you have any additional follow-up questions please feel free to reopen this issue. |
question: Take the following scenario: step:
the log are as follows: type=SYSCALL msg=audit(1690509108.655:2625): arch=c000003e syscall=263 success=yes exit=0 a0=4 a1=55bbbf8bda58 a2=0 a3=200 items=2 ppid=86610 pid=89214 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts9 ses=3 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="file_wa_audit"ARCH=x86_64 SYSCALL=unlinkat AUID="uos" UID="uos" GID="uos" EUID="uos" SUID="uos" FSUID="uos" EGID="uos" SGID="uos" FSGID="uos" the same issue: |
When comparing timestamps to group audit records into a single audit event, you need to consider the full timestamp and not just everything before the period. For example, given a timestamp of With that in mind, in the first audit event, in the audit stream shown above each audit event that contains PATH records contains two PATH records; one is marked as a PARENT (
Issue #133 is unrelated to this issue. |
tks. log: type=SYSCALL msg=audit(1690443959.176:1267): arch=c000003e syscall=263 success=yes exit=0 a0=4 a1=6888f8 a2=0 a3=fffffffffffffbbb items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit" type=SYSCALL msg=audit(1690443959.176:1268): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=6874a0 a2=200 a3=100 items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit" the parent dir of '111.txt' is not '/home/uos/Desktop' linux-audit/audit-userspace#231 Author |
Ah, okay, I thought this was focused on the multiple PATH records per event, I wasn't looking so much as to what was recorded in the PARENT PATH record, I was focusing on trying to explain the multiple records. Regardless, if you are concerned about the issue represented in issue #133, follow up in that issue so we don't duplicate it here. |
Do you think kernel audit module should record the full path of file? if not, what's your opinion? |
When deleting the file I believe recording the parent in one record, and the file, in another record - all within a single audit event - is sufficient for logging purposes. |
config of system:
the content of /var/log/audit/audit.log
type=SYSCALL msg=audit(1690443959.176:1267): arch=c000003e syscall=263 success=yes exit=0 a0=4 a1=6888f8 a2=0 a3=fffffffffffffbbb items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit"
type=CWD msg=audit(1690443959.176:1267): cwd="/home/uos/Desktop"
type=PATH msg=audit(1690443959.176:1267): item=0 name="/home/uos/Desktop" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1690443959.176:1267): item=1 name="111.txt" inode=1051788 dev=fe:07 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1690443959.176:1267): proctitle=726D002D720074657374
type=SYSCALL msg=audit(1690443959.176:1268): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=6874a0 a2=200 a3=100 items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit"
type=CWD msg=audit(1690443959.176:1268): cwd="/home/uos/Desktop"
type=PATH msg=audit(1690443959.176:1268): item=0 name="/home/uos/Desktop" inode=1048584 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1690443959.176:1268): item=1 name="test" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1690443959.176:1268): proctitle=726D002D720074657374
question:
the absolute path of the 111.txt is /home/uos/Desktop/test/111.txt, but we can not get absolute path of the 111.txt from audit.log
the version of kernel
The text was updated successfully, but these errors were encountered: