* Re: option --extra-obj2 does not seem to work
2019-04-07 8:18 ` Steve Grubb
@ 2019-04-08 0:39 ` Paul Moore
2019-04-11 7:53 ` Ondra N.
1 sibling, 0 replies; 5+ messages in thread
From: Paul Moore @ 2019-04-08 0:39 UTC (permalink / raw)
To: Steve Grubb, Ondra N.; +Cc: linux-audit
On Sun, Apr 7, 2019 at 4:22 AM Steve Grubb <sgrubb@redhat.com> wrote:
> On Fri, 5 Apr 2019 16:30:32 +0200
> "Ondra N." <ondrysak@gmail.com> wrote:
> > it seems that the option fails to display the second object for rename
> > action.
>
> To catch everyone up, it turns out this is audit-2.8.4 and kernel
> 3.10.0-957.el7.x86_64.
Ondra, I'm not sure if you have any more recent kernels running, but
have you seen the same issue on other kernel/userspace combinations?
> > interactive format correctly show renaming the file
> > 5M2w0d4eagxxig9KYM5.file to DyTbnH12dMV1nQsOxU.file
> >
> > ausearch -k test-ra -i
> >
> > type=PROCTITLE msg=audit(04/05/2019 13:57:22.489:110873) :
> > proctitle=python3 populate_fs.py rename
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=3
> > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/DyTbnH12dMV1nQsOxU.file
> > inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> > objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
>
> There seems to be a missing DELETE path record here. What I see on my
> system is 2 PARENT records, 2 DELETE records, and 1 CREATE record. The
> two parents is for both items (obj1 & obj2). Then both objects get
> deleted, and we are left with 1 object being created. This last create
> record is what OBJ2 would be. Without the second DELETE, we wind
> up on the wrong record looking for 'name'.
>
> Looking at the inodes, what is missing is the DELETE for the inode that
> is being replaced with the tmp copy. Funny thing is, this works fine
> for me on the same user space and kernel.
>
> Can you pass along a simplified reproducer? Shell script would be
> preferred.
>
> Thanks,
> -Steve
>
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=2
> > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file
> > inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> > objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=1
> > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> > inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> > objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=0
> > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> > inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> > objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=CWD msg=audit(04/05/2019 13:57:22.489:110873) :
> > cwd=/push_agent/src/main/python/scripts
> > type=SYSCALL msg=audit(04/05/2019 13:57:22.489:110873) : arch=x86_64
> > syscall=rename success=yes exit=0 a0=0x7f3259691b78 a1=0x7f3259691d70
> > a2=0xffffffff a3=0x7f3263f160e0 items=4 ppid=27421 pid=7653 auid=root
> > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> > fsgid=root tty=pts1 ses=5549 comm=python3
> > exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test-ra
> >
> > but csv format shows just empty column where the info about the
> > object2 should be.
> >
> > ausearch -k test-ra --format csv --extra-obj2
> >
> > ,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6
> >
> > is this desired behaviour?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: option --extra-obj2 does not seem to work
2019-04-07 8:18 ` Steve Grubb
2019-04-08 0:39 ` Paul Moore
@ 2019-04-11 7:53 ` Ondra N.
1 sibling, 0 replies; 5+ messages in thread
From: Ondra N. @ 2019-04-11 7:53 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 9165 bytes --]
Ondra N. <ondrysak@gmail.com>
po 8. 4. 14:51 (před 3 dny)
komu: Paul
Hello,
below I enclose a reproducer script, hope it helps.
#!/bin/bash
auditctl -D -k test_key
mkdir -p
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw
auditctl -w /tmp/random_folder -p wa -k test_key
rm -f
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
echo "hello" >
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file
python3 <<< "import os;
os.rename('/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file','/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file')"
ausearch -i -k test_key | tail
ausearch -k test_key --extra-obj2 --format csv | tail | grep renamed
Will hopefully try different kernel/userspace combinations later this week.
Another thing I noticed is that for me when the file already exists it
works as expected.
Commenting out the line `rm -f
/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file`
from the reproducer script yields expected result after second run.
There is a difference in the output in raw that is prolly responsible for
the field being empty.
WORKS OK file existed before obj2 column is populated with correct value
type=PROCTITLE msg=audit(04/08/2019 13:09:54.586:232192) : proctitle=python3
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=4
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
inode=134231847 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=3
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=2
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file
inode=134231847 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=1
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:09:54.586:232192) : item=0
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/08/2019 13:09:54.586:232192) : cwd=/tmp
type=SYSCALL msg=audit(04/08/2019 13:09:54.586:232192) : arch=x86_64
syscall=rename success=yes exit=0 a0=0x7ffbd89d3510 a1=0x7ffbd89d35a8
a2=0xffffffff a3=0x7ffd9b558b20 items=5 ppid=27771 pid=27779 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts0 ses=10320 comm=python3
exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test_key
DOES NOT WORK OK file did not exist before and obj2 column remains empty
type=PROCTITLE msg=audit(04/08/2019 13:12:12.685:232285) : proctitle=python3
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=3
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/FP6c2UlcsH5rfInFDyM.file
inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=2
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/sSmcW4DT7bZ3XS1qcf.file
inode=134231846 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=1
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/08/2019 13:12:12.685:232285) : item=0
name=/tmp/random_folder/rzadilLpW4NmB6r2/QzTTUUW6UskKVI9QSk3R/Yrts9nCu0tHVLmLlC3/USAoxzJGnfVwFqOw/
inode=134237250 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/08/2019 13:12:12.685:232285) : cwd=/tmp
type=SYSCALL msg=audit(04/08/2019 13:12:12.685:232285) : arch=x86_64
syscall=rename success=yes exit=0 a0=0x7f52063c2510 a1=0x7f52063c25a8
a2=0xffffffff a3=0x7ffdb7446700 items=4 ppid=28069 pid=28078 auid=root
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts0 ses=10320 comm=python3
exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test_key
Hope it helps
ne 7. 4. 2019 v 10:18 odesílatel Steve Grubb <sgrubb@redhat.com> napsal:
> On Fri, 5 Apr 2019 16:30:32 +0200
> "Ondra N." <ondrysak@gmail.com> wrote:
> > it seems that the option fails to display the second object for rename
> > action.
>
> To catch everyone up, it turns out this is audit-2.8.4 and kernel
> 3.10.0-957.el7.x86_64.
>
> > interactive format correctly show renaming the file
> > 5M2w0d4eagxxig9KYM5.file to DyTbnH12dMV1nQsOxU.file
> >
> > ausearch -k test-ra -i
> >
> > type=PROCTITLE msg=audit(04/05/2019 13:57:22.489:110873) :
> > proctitle=python3 populate_fs.py rename
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=3
> >
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/DyTbnH12dMV1nQsOxU.file
> > inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> > objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
>
> There seems to be a missing DELETE path record here. What I see on my
> system is 2 PARENT records, 2 DELETE records, and 1 CREATE record. The
> two parents is for both items (obj1 & obj2). Then both objects get
> deleted, and we are left with 1 object being created. This last create
> record is what OBJ2 would be. Without the second DELETE, we wind
> up on the wrong record looking for 'name'.
>
> Looking at the inodes, what is missing is the DELETE for the inode that
> is being replaced with the tmp copy. Funny thing is, this works fine
> for me on the same user space and kernel.
>
> Can you pass along a simplified reproducer? Shell script would be
> preferred.
>
> Thanks,
> -Steve
>
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=2
> >
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file
> > inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> > objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=1
> >
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> > inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> > objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=0
> >
> name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> > inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> > objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=CWD msg=audit(04/05/2019 13:57:22.489:110873) :
> > cwd=/push_agent/src/main/python/scripts
> > type=SYSCALL msg=audit(04/05/2019 13:57:22.489:110873) : arch=x86_64
> > syscall=rename success=yes exit=0 a0=0x7f3259691b78 a1=0x7f3259691d70
> > a2=0xffffffff a3=0x7f3263f160e0 items=4 ppid=27421 pid=7653 auid=root
> > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> > fsgid=root tty=pts1 ses=5549 comm=python3
> > exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test-ra
> >
> > but csv format shows just empty column where the info about the
> > object2 should be.
> >
> > ausearch -k test-ra --format csv --extra-obj2
> >
> >
> ,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6
> >
> > is this desired behaviour?
>
>
[-- Attachment #1.2: Type: text/html, Size: 10001 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread