From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: option --extra-obj2 does not seem to work
Date: Fri, 5 Apr 2019 18:05:42 +0200
Message-ID: <20190405180542.60456af1@ivy-bridge>
References: <CADK+bLxm=Ns5Z6YYGb9+0GOG9Eutk9rQOV3h5a9aNVMCfqnEdA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CADK+bLxm=Ns5Z6YYGb9+0GOG9Eutk9rQOV3h5a9aNVMCfqnEdA@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Ondra N." <ondrysak@gmail.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

On Fri, 5 Apr 2019 16:30:32 +0200
"Ondra N." <ondrysak@gmail.com> wrote:
> it seems that the option fails to display the second object for rename
> action.

Which kernel are you using and which audit release are you using?

-Steve

> interactive format correctly show renaming the file
> 5M2w0d4eagxxig9KYM5.file to DyTbnH12dMV1nQsOxU.file
> 
> ausearch -k test-ra -i
> 
> type=PROCTITLE msg=audit(04/05/2019 13:57:22.489:110873) :
> proctitle=python3 populate_fs.py rename
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=3
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/DyTbnH12dMV1nQsOxU.file
> inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=2
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file
> inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=1
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=0
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(04/05/2019 13:57:22.489:110873) :
> cwd=/push_agent/src/main/python/scripts
> type=SYSCALL msg=audit(04/05/2019 13:57:22.489:110873) : arch=x86_64
> syscall=rename success=yes exit=0 a0=0x7f3259691b78 a1=0x7f3259691d70
> a2=0xffffffff a3=0x7f3263f160e0 items=4 ppid=27421 pid=7653 auid=root
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=pts1 ses=5549 comm=python3
> exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test-ra
> 
> but csv format shows just empty column where the info about the
> object2 should be.
> 
> ausearch -k test-ra --format csv --extra-obj2
> 
> ,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6
> 
> is this desired behaviour?