From: Steve Grubb <sgrubb@redhat.com>
To: "Ondra N." <ondrysak@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: option --extra-obj2 does not seem to work
Date: Fri, 5 Apr 2019 18:05:42 +0200 [thread overview]
Message-ID: <20190405180542.60456af1@ivy-bridge> (raw)
In-Reply-To: <CADK+bLxm=Ns5Z6YYGb9+0GOG9Eutk9rQOV3h5a9aNVMCfqnEdA@mail.gmail.com>
Hello,
On Fri, 5 Apr 2019 16:30:32 +0200
"Ondra N." <ondrysak@gmail.com> wrote:
> it seems that the option fails to display the second object for rename
> action.
Which kernel are you using and which audit release are you using?
-Steve
> interactive format correctly show renaming the file
> 5M2w0d4eagxxig9KYM5.file to DyTbnH12dMV1nQsOxU.file
>
> ausearch -k test-ra -i
>
> type=PROCTITLE msg=audit(04/05/2019 13:57:22.489:110873) :
> proctitle=python3 populate_fs.py rename
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=3
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/DyTbnH12dMV1nQsOxU.file
> inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=2
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file
> inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=1
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=0
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(04/05/2019 13:57:22.489:110873) :
> cwd=/push_agent/src/main/python/scripts
> type=SYSCALL msg=audit(04/05/2019 13:57:22.489:110873) : arch=x86_64
> syscall=rename success=yes exit=0 a0=0x7f3259691b78 a1=0x7f3259691d70
> a2=0xffffffff a3=0x7f3263f160e0 items=4 ppid=27421 pid=7653 auid=root
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=pts1 ses=5549 comm=python3
> exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test-ra
>
> but csv format shows just empty column where the info about the
> object2 should be.
>
> ausearch -k test-ra --format csv --extra-obj2
>
> ,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6
>
> is this desired behaviour?
next prev parent reply other threads:[~2019-04-05 16:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-05 14:30 option --extra-obj2 does not seem to work Ondra N.
2019-04-05 16:05 ` Steve Grubb [this message]
2019-04-07 8:18 ` Steve Grubb
2019-04-08 0:39 ` Paul Moore
2019-04-11 7:53 ` Ondra N.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190405180542.60456af1@ivy-bridge \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=ondrysak@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox