Newer versions of audit missing information?

Newer versions of audit missing information?

[Mark Gardner]

[-- Attachment #1.1: Type: text/plain, Size: 2929 bytes --]

I have setup a watch on specific directories for changes so we can report to our auditors about deployments being done by the proper staff members.
So for example -w /root/test -p ra -k test.
If I copied / removed a file in that directory, I would get audit results similar to the following:


[root@localhost test]# ausearch -k test --format text -ts recent 


At 14:10:55 02/28/2022 root successfully opened-file /root/test/./hosts using /usr/bin/cp

At 14:11:37 02/28/2022 root successfully deleted /root/test/hosts using /usr/bin/rm


This worked fine in CentOS 7 and CentOS 8 (not stream).

Testing with CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 also worked until I updated the audit package


[root@localhost test]# dnf list installed audit 


Installed Packages

audit.x86_64              3.0-0.17.20191104git1c2f876.el8              @anaconda



[root@localhost test]# ausearch -k test --format text -ts recent 


At 14:10:55 02/28/2022 root successfully opened-file /root/test/./hosts using /usr/bin/cp

At 14:11:37 02/28/2022 root successfully deleted /root/test/hosts using /usr/bin/rm



[root@localhost test]# dnf list audit 

CentOS Stream 8 - AppStream                     7.7 MB/s |  20 MB     00:02

CentOS Stream 8 - BaseOS                        9.5 MB/s |  19 MB     00:02

CentOS Stream 8 - Extras                         52 kB/s |  18 kB     00:00

Installed Packages

audit.x86_64              3.0-0.17.20191104git1c2f876.el8              @anaconda

Available Packages

audit.x86_64              3.0.7-1.el8                                  baseos

After Upgrade:[root@localhost test]# auditctl -l 

No rules

[root@localhost test]# auditctl -w /root/test -p wa -k test

[root@localhost test]# cp /etc/hosts .

[root@localhost test]# rm hosts

rm: remove regular file 'hosts'? y

[root@localhost test]# ausearch -k test --format text -ts recent



At 14:10:55 02/28/2022 root successfully opened-file  using /usr/bin/cp

At 14:11:37 02/28/2022 root successfully deleted  using /usr/bin/rm

At 14:13:16 02/28/2022 system, acting as root, successfully remove_rule test using /usr/sbin/auditctl

At 14:14:11 02/28/2022 root successfully add_rule test using /usr/sbin/auditctl

At 14:14:23 02/28/2022 root successfully opened-file  using /usr/bin/cp

At 14:14:30 02/28/2022 root successfully deleted  using /usr/bin/rm

[root@localhost test]#

Notice no information on what file was copied / removed?



Even the earlier log entries don't show what file was copied / removed.

If I downgrade to audit 3.0-0.17, everything is there.

Is there another way to monitor a directory so we know which files were modified / removed?

[-- Attachment #1.2: Type: text/html, Size: 4915 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: Newer versions of audit missing information?

[Steve Grubb]

On Monday, February 28, 2022 12:29:54 PM EST Mark Gardner wrote:

<snip>

> Notice no information on what file was copied / removed?
> 
> Even the earlier log entries don't show what file was copied / removed.

This might be related to record formats changing.


> If I downgrade to audit 3.0-0.17, everything is there.
> 
> Is there another way to monitor a directory so we know which files were
> modified / removed?

Well, you can always do  ausearch -k test --raw | aureport -f

I'll take a look and see if I can spot what has changed and how this could be 
fixed.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: Newer versions of audit missing information?

[Sergio Correia]

Hi,

On Mon, Feb 28, 2022 at 2:46 PM Mark Gardner <mark@klas.com> wrote:
>
 [snip]

> [root@localhost test]# ausearch -k test --format text -ts recent
>
> At 14:10:55 02/28/2022 root successfully opened-file  using /usr/bin/cp
> At 14:11:37 02/28/2022 root successfully deleted  using /usr/bin/rm
> At 14:13:16 02/28/2022 system, acting as root, successfully remove_rule test using /usr/sbin/auditctl
> At 14:14:11 02/28/2022 root successfully add_rule test using /usr/sbin/auditctl
> At 14:14:23 02/28/2022 root successfully opened-file  using /usr/bin/cp
> At 14:14:30 02/28/2022 root successfully deleted  using /usr/bin/rm
> [root@localhost test]#
>
> Notice no information on what file was copied / removed?
>

I was able to reproduce this issue with 3.0.7 and submitted a fix that
was merged upstream as commit becc1c.

I now get the following output, with the patched version:
At 16:46:10 03/09/2022 root successfully add_rule test using /usr/sbin/auditctl
At 16:46:16 03/09/2022 root successfully opened-file /root/test/hosts
using /usr/bin/cp
At 16:46:23 03/09/2022 root successfully deleted /root/test/hosts
using /usr/bin/rm

With 3.0.7, I would get this:
At 16:46:10 03/09/2022 root successfully add_rule test using /usr/sbin/auditctl
At 16:46:16 03/09/2022 root successfully opened-file  using /usr/bin/cp
At 16:46:23 03/09/2022 root successfully deleted  using /usr/bin/rm

Best Regards,
Sergio

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit