Re: option --extra-obj2 does not seem to work

[Steve Grubb <sgrubb@redhat.com>]

On Fri, 5 Apr 2019 16:30:32 +0200
"Ondra N." <ondrysak@gmail.com> wrote:
> it seems that the option fails to display the second object for rename
> action.

To catch everyone up, it turns out this is audit-2.8.4 and kernel
3.10.0-957.el7.x86_64.

> interactive format correctly show renaming the file
> 5M2w0d4eagxxig9KYM5.file to DyTbnH12dMV1nQsOxU.file
> 
> ausearch -k test-ra -i
> 
> type=PROCTITLE msg=audit(04/05/2019 13:57:22.489:110873) :
> proctitle=python3 populate_fs.py rename
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=3
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/DyTbnH12dMV1nQsOxU.file
> inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0

There seems to be a missing DELETE path record here. What I see on my
system is 2 PARENT records, 2 DELETE records, and 1 CREATE record. The
two parents is for both items (obj1 & obj2). Then both objects get
deleted, and we are left with 1 object being created. This last create
record is what OBJ2 would be. Without the second DELETE, we wind
up on the wrong record looking for 'name'.

Looking at the inodes, what is missing is the DELETE for the inode that
is being replaced with the tmp copy. Funny thing is, this works fine
for me on the same user space and kernel.

Can you pass along a simplified reproducer? Shell script would be
preferred.

Thanks,
-Steve

> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=2
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file
> inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=1
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=0
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(04/05/2019 13:57:22.489:110873) :
> cwd=/push_agent/src/main/python/scripts
> type=SYSCALL msg=audit(04/05/2019 13:57:22.489:110873) : arch=x86_64
> syscall=rename success=yes exit=0 a0=0x7f3259691b78 a1=0x7f3259691d70
> a2=0xffffffff a3=0x7f3263f160e0 items=4 ppid=27421 pid=7653 auid=root
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=pts1 ses=5549 comm=python3
> exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test-ra
> 
> but csv format shows just empty column where the info about the
> object2 should be.
> 
> ausearch -k test-ra --format csv --extra-obj2
> 
> ,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6
> 
> is this desired behaviour?