Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Newer versions of audit missing information?
@ 2022-02-28 17:29 Mark Gardner
  2022-02-28 20:46 ` Steve Grubb
  2022-03-09 21:49 ` Sergio Correia
  0 siblings, 2 replies; 3+ messages in thread
From: Mark Gardner @ 2022-02-28 17:29 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 2929 bytes --]

I have setup a watch on specific directories for changes so we can report to our auditors about deployments being done by the proper staff members.
So for example -w /root/test -p ra -k test.
If I copied / removed a file in that directory, I would get audit results similar to the following:


[root@localhost test]# ausearch -k test --format text -ts recent 


At 14:10:55 02/28/2022 root successfully opened-file /root/test/./hosts using /usr/bin/cp

At 14:11:37 02/28/2022 root successfully deleted /root/test/hosts using /usr/bin/rm


This worked fine in CentOS 7 and CentOS 8 (not stream).

Testing with CentOS-Stream-GenericCloud-8-20220125.1.x86_64.qcow2 also worked until I updated the audit package


[root@localhost test]# dnf list installed audit 


Installed Packages

audit.x86_64              3.0-0.17.20191104git1c2f876.el8              @anaconda



[root@localhost test]# ausearch -k test --format text -ts recent 


At 14:10:55 02/28/2022 root successfully opened-file /root/test/./hosts using /usr/bin/cp

At 14:11:37 02/28/2022 root successfully deleted /root/test/hosts using /usr/bin/rm



[root@localhost test]# dnf list audit 

CentOS Stream 8 - AppStream                     7.7 MB/s |  20 MB     00:02

CentOS Stream 8 - BaseOS                        9.5 MB/s |  19 MB     00:02

CentOS Stream 8 - Extras                         52 kB/s |  18 kB     00:00

Installed Packages

audit.x86_64              3.0-0.17.20191104git1c2f876.el8              @anaconda

Available Packages

audit.x86_64              3.0.7-1.el8                                  baseos

After Upgrade:[root@localhost test]# auditctl -l 

No rules

[root@localhost test]# auditctl -w /root/test -p wa -k test

[root@localhost test]# cp /etc/hosts .

[root@localhost test]# rm hosts

rm: remove regular file 'hosts'? y

[root@localhost test]# ausearch -k test --format text -ts recent



At 14:10:55 02/28/2022 root successfully opened-file  using /usr/bin/cp

At 14:11:37 02/28/2022 root successfully deleted  using /usr/bin/rm

At 14:13:16 02/28/2022 system, acting as root, successfully remove_rule test using /usr/sbin/auditctl

At 14:14:11 02/28/2022 root successfully add_rule test using /usr/sbin/auditctl

At 14:14:23 02/28/2022 root successfully opened-file  using /usr/bin/cp

At 14:14:30 02/28/2022 root successfully deleted  using /usr/bin/rm

[root@localhost test]#

Notice no information on what file was copied / removed?



Even the earlier log entries don't show what file was copied / removed.

If I downgrade to audit 3.0-0.17, everything is there.

Is there another way to monitor a directory so we know which files were modified / removed?

[-- Attachment #1.2: Type: text/html, Size: 4915 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-03-09 21:49 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-02-28 17:29 Newer versions of audit missing information? Mark Gardner
2022-02-28 20:46 ` Steve Grubb
2022-03-09 21:49 ` Sergio Correia

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox