confusing with open system call in Linux kernel

["Alan TaN" <maillist.alan@gmail.com>]

[-- Attachment #1.1: Type: text/plain, Size: 2883 bytes --]

Hi everyone,

 

I am new here, so I am not exactly sure if this is the right place to ask
this. I apologise in advance if this is not the right place. 

I would like to ask if anyone has encountered the issue below. 

 

I am trying to track a set of file accesses system calls in a Linux system
(for experimental purposes) and used the following subset of rules with the
audit.rules file.

 

-a exit,always -F arch=b64 -S creat -S read -S write -S rename -S open -S
close

 

What I noticed was that for the open system call, when opening an existing
file for writing purpose, the file name would result in a 'null' value like
shown:

 

type=SYSCALL msg=audit(1423018198.026:20826531): arch=c000003e syscall=2
success=yes exit=4 a0=400865 a1=241 a2=1b6 a3=0 items=2 ppid=9093 pid=9169
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
ses=3805 comm="readfile" exe="/root/prov_project/script/readfile"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

type=CWD msg=audit(1423018198.026:20826531):
cwd="/root/prov_project/script"

type=PATH msg=audit(1423018198.026:20826531): item=0
name="/root/prov_project/script" inode=311564 dev=fd:01 mode=040755 ouid=0
ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT

type=PATH msg=audit(1423018198.026:20826531): item=1 name=(null)
inode=269089 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL

 

 

However, opening the same file with read only mode or opening a non-existing
file (which in that case the open system call would create the file) would
result in the file name being captured as shown:  

 

type=SYSCALL msg=audit(1423018196.556:20826486): arch=c000003e syscall=2
success=yes exit=4 a0=400865 a1=241 a2=1b6 a3=0 items=2 ppid=9093 pid=9168
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
ses=3805 comm="readfile" exe="/root/prov_project/script/readfile"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

type=CWD msg=audit(1423018196.556:20826486):
cwd="/root/prov_project/script"

type=PATH msg=audit(1423018196.556:20826486): item=0
name="/root/prov_project/script" inode=311564 dev=fd:01 mode=040755 ouid=0
ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT

type=PATH msg=audit(1423018196.556:20826486): item=1 name="sample_text.txt"
inode=269089 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:admin_home_t:s0 nametype=CREATE

 

Hence the question: Is this an intended feature or a bug? 

 

Appreciate if anyone can shed some light on this.

 

To reproduce:  write to a non-existing file first, close it and then open
and write to the same file again.

 

I am running version 2.3.7-5 of the audit framework and on CentOS 6.4
(kernel version 2.6.32-431) 

 

Thank you.

 

Cheers,

Alan

 


[-- Attachment #1.2: Type: text/html, Size: 6034 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]