From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Not seeing access denied audit messages in restricted
	subdirectories
Date: Fri, 8 Nov 2019 22:39:05 +0100
Message-ID: <20191108223905.773a79d3@ivy-bridge>
References: <OF3C0EFCFA.EE160C73-ON002584AC.006EBA93-072584AC.0071860C@notes.na.collabserv.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <OF3C0EFCFA.EE160C73-ON002584AC.006EBA93-072584AC.0071860C@notes.na.collabserv.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: John T Olson <jtolson@us.ibm.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Fri, 8 Nov 2019 13:39:58 -0700
"John T Olson" <jtolson@us.ibm.com> wrote:

> Greetings,
>=20
> I have the following 2 audit rules set up:
>=20
> -a always,exit -F arch=3Db64 -S all -F exit=3D-EACCES -F dir=3D/gpfs/fs1
> -a always,exit -F arch=3Db64 -S all -F exit=3D-EPERM -F dir=3D/gpfs/fs1
>=20
> I have a directory structure like the following:
>=20
> (13:15:26) zippleback-vm1:~ # ls -la /gpfs/fs1/test/
> total 257
> drwx------.  3 root root   4096 Nov  7 12:46 .
> drwxr-xr-x. 15 root root 262144 Nov  7 12:50 ..
> drwx------.  2 root root   4096 Nov  7 12:46 test2
>=20
> Essentially, directory "/gpfs/fs1/test/" is owned by root and has
> permissions 700.  The subdirectory underneath it (with
> path /gpfs/fs1/test/test2) is also owned by root and has permissions
> 700.
>=20
> When I have a non-root user attempt to list the contents of directory
> "/gpfs/fs1/test/" I receive an audit message for the denied access.
> However, when the non-root user attempts to list the contents of the
> subdirectory (/gpfs/fs1/test/test2), there is no audit message
> generated. Does anyone know why this is and how I get audit messages
> in both cases?

Yes, the reason is because the path did not resolve so audit never saw
it. This has been this way for quite some time. In the past, it was
said because the path never resolved, a PATH record with all attributes
could not be generated. I have mentioned to kernel maintainers, that
the path is available as a syscall argument. While a full PATH record
cannot be generated with file attributes, an abbreviated one could be
generated. So, far...no one has saw this as a big enough problem to
fix. Personally, I think it should be fixed.

-Steve