From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: use openat to create a file, then audit log can't show the full path name ?
Date: Mon, 03 Dec 2018 20:11:26 -0500 [thread overview]
Message-ID: <2266965.DSjJAScMqE@x2> (raw)
In-Reply-To: <2018120409033724847711@gmail.com>
On Monday, December 3, 2018 8:06:17 PM EST litaibaichina@gmail.com wrote:
> Hi Guys,
>
> I tried to use code like the following to create a file and I am wathcing
> /data/Documents:
>
> # auditctl -l
> -w /data/Documents -p rwa
>
> my_open(const char *path, int flags, mode_t mode)
> {
> char *new = strdup(path);
> char *p;
> const char *last;
> int dirfd, lastfd;
> int fd = -1;
>
> dirfd = lastfd = open("/", O_DIRECTORY|O_NOFOLLOW);
>
> for (last = new + 1; (p = strchr(last, '/')); last = p)
> {
> while (*p == '/')
> *p++ = '\0';
> dirfd = openat(lastfd, last, O_RDONLY|O_DIRECTORY|O_NOFOLLOW);
> close(lastfd);
> if (dirfd < 0)
> break;
> lastfd = dirfd;
> }
> if (dirfd >= 0)
> {
> fd = openat(dirfd, last, flags|O_NOFOLLOW, mode);
> close(dirfd);
> }
>
> then get audit logs like:
> ----
> type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6495) :
> proctitle=./test-sscanf type=PATH msg=audit(12/04/2018 08:57:28.750:6495)
> : item=0 name=Documents inode=256 dev=00:2a mode=dir,777 ouid=guest
> ogid=guest rdev=00:00 nametype=NORMAL type=CWD msg=audit(12/04/2018
> 08:57:28.750:6495) : cwd=/root
> type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6495) : arch=x86_64
> syscall=openat success=yes exit=3 a0=0x4 a1=0x14c9016
> a2=O_RDONLY|O_DIRECTORY|O_NOFOLLOW a3=0x0 items=1 ppid=19411 pid=19494
> auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf
> exe=/root/test-sscanf key=(null) ----
> type=PROCTITLE msg=audit(12/04/2018 08:57:28.750:6496) :
> proctitle=./test-sscanf type=PATH msg=audit(12/04/2018 08:57:28.750:6496)
> : item=1 name=test-safeopen.txt inode=1714024 dev=00:2a mode=file,664
> ouid=root ogid=root rdev=00:00 nametype=CREATE type=PATH
> msg=audit(12/04/2018 08:57:28.750:6496) : item=0 name=/root inode=256
> dev=00:2a mode=dir,777 ouid=guest ogid=guest rdev=00:00 nametype=PARENT
> type=CWD msg=audit(12/04/2018 08:57:28.750:6496) : cwd=/root
> type=SYSCALL msg=audit(12/04/2018 08:57:28.750:6496) : arch=x86_64
> syscall=openat success=yes exit=4 a0=0x3 a1=0x14c9020
> a2=O_WRONLY|O_CREAT|O_EXCL|O_TRUNC|O_NOFOLLOW a3=0x1b4 items=2 ppid=19411
> pid=19494 auid=root uid=root gid=root euid=root suid=root fsuid=root
> egid=root sgid=root fsgid=root tty=pts0 ses=30 comm=test-sscanf
> exe=/root/test-sscanf key=(null)
>
> so looks like I can't get the full path /data/Documents/test-safeopen.txt,
> audit can't remember the path in item 0 ?
This is :
https://github.com/linux-audit/audit-kernel/issues/9
We were just discussing something that is sort of related. So, maybe there
will be some updates on this soonish.
-Steve
prev parent reply other threads:[~2018-12-04 1:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-04 1:06 use openat to create a file, then audit log can't show the full path name ? litaibaichina
2018-12-04 1:11 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2266965.DSjJAScMqE@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox