linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
* The directory removing loses a fraction of path.
@ 2023-05-04 14:51 Jóźwiak, Jarosław
  0 siblings, 0 replies; only message in thread
From: Jóźwiak, Jarosław @ 2023-05-04 14:51 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 6517 bytes --]

Hi,

this issue has been already reported by me at github linux-audit / audit-userspace issues site, but Steve Grubb suggested to write here to report the issue to the kernel part developers.

Just in case original thread You can find under this link:

https://github.com/linux-audit/audit-userspace/issues/298

entitled:

The directory removing loses a fraction of path.


Problem description.

(Slightly changed regarding to the original thread.)

When deleting a directory, there is not enough information in the 'audit.log' file to reconstruct the full path to the deleted file as well as to the deleted directory.

When the following sequence of commands is run in bash, we get the information presented below in the 'audit.log' file. Apart from two cases, all others do not allow to reconstruct the full path from records 'CWD' and 'PATH'.

----
command sequence
----

# cd /root

# mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1
# rm -rf dir1/dir2
# ausearch -i -ts 02/20/2023 09:37:00 -te 02/20/2023 09:38:00 > relative_without_trailing_slash.txt

# mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1
# rm -rf dir1/dir2/
# ausearch -i -ts 02/20/2023 09:38:00 -te 02/20/2023 09:39:00 > relative_with_trailing_slash.txt

# mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1
# rm -rf /root/dir1/dir2/
# ausearch -i -ts 02/20/2023 09:39:00 -te 02/20/2023 09:40:00 > absolute_with_trailing_slash.txt

# mkdir -p /root/dir1/dir2/dir3 ; echo file1 > /root/dir1/dir2/dir3/file1
# rm -rf /root/dir1/dir2
# ausearch -i -ts 02/20/2023 09:40:00 -te 02/20/2023 09:41:00 > absolute_without_trailing_slash.txt

----
results
----

----
# cat relative_without_trailing_slash.txt # (edited)
----
type=PROCTITLE : proctitle=rm -i -rf dir1/dir2
type=PATH : item=1 name=file1 nametype=DELETE
type=PATH : item=0 name=/root nametype=PARENT
type=CWD : cwd=/root
----
type=PROCTITLE : proctitle=rm -i -rf dir1/dir2
type=PATH : item=1 name=dir3 nametype=DELETE
type=PATH : item=0 name=/root nametype=PARENT
type=CWD : cwd=/root
----
type=PROCTITLE : proctitle=rm -i -rf dir1/dir2
type=PATH : item=1 name=dir1/dir2 nametype=DELETE
type=PATH : item=0 name=dir1/ nametype=PARENT
type=CWD : cwd=/root
----

----
# cat relative_with_trailing_slash.txt # (edited)
----
type=PROCTITLE : proctitle=rm -i -rf dir1/dir2/
type=PATH : item=1 name=file1 nametype=DELETE
type=PATH : item=0 name=/root nametype=PARENT
type=CWD : cwd=/root
----
type=PROCTITLE : proctitle=rm -i -rf dir1/dir2/
type=PATH : item=1 name=dir3 nametype=DELETE
type=PATH : item=0 name=/root nametype=PARENT
type=CWD : cwd=/root
----
type=PROCTITLE : proctitle=rm -i -rf dir1/dir2/
type=PATH : item=2 name=(null) nametype=DELETE
type=PATH : item=1 name=(null) nametype=PARENT
type=PATH : item=0 name=dir1/ nametype=PARENT
type=CWD : cwd=/root
----

----
# cat absolute_with_trailing_slash.txt # (edited)
----
type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2/
type=PATH : item=1 name=file1 nametype=DELETE
type=PATH : item=0 name=/root nametype=PARENT
type=CWD : cwd=/root
----
type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2/
type=PATH : item=1 name=dir3 nametype=DELETE
type=PATH : item=0 name=/root nametype=PARENT
type=CWD : cwd=/root
----
type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2/
type=PATH : item=2 name=(null) nametype=DELETE
type=PATH : item=1 name=(null) nametype=PARENT
type=PATH : item=0 name=/root/dir1/ nametype=PARENT
type=CWD : cwd=/root
----

----
# cat absolute_without_trailing_slash.txt # (edited)
----
type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2
type=PATH : item=1 name=file1 nametype=DELETE
type=PATH : item=0 name=/root nametype=PARENT
type=CWD : cwd=/root
----
type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2
type=PATH : item=1 name=dir3 nametype=DELETE
type=PATH : item=0 name=/root nametype=PARENT
type=CWD : cwd=/root
----
type=PROCTITLE : proctitle=rm -i -rf /root/dir1/dir2
type=PATH : item=1 name=/root/dir1/dir2 nametype=DELETE
type=PATH : item=0 name=/root/dir1/ nametype=PARENT
type=CWD : cwd=/root
----

Tested on

RedHat 9.0, Alma 9.0
kernel - 5.14.0-70.13.1.el9_0.x86_6
packages - audit.x86_64, audit-libs.x86_64 - 3.0.7-103.el9

RedHat 8.6, Alma 8.6
kernel - 4.18.0-372.9.1.el8.x86_64
packages - audit.x86_64, audit-libs.x86_64 - 3.0.7-4.el8

RedHat 7.9, Centos 7.9
kernel - 3.10.0-1160.80.1.el7.x86_64
packages - audit.x86_64, audit-libs.x86_64 - 2.8.5-4.el7

Ubuntu 22.04.2
kernel - 5.15.0-60-generic
packages - auditd, libaudit-common, libaudit-dev:amd64, libaudit1:amd64 -1:3.0.7-1build1

----

Configuration files on RedHat 9.0

----
/etc/audit/audit.rules
----

-D
-b 8192
-f 1
-w / -p w -k TEST
--backlog_wait_time 60000

----
/etc/audit/auditd.conf
----

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 1200
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2

----
----

As suggested by Steve, I checked also the following rules independently instead of '-w / -p w -k TEST'.

-a always,exit -F arch=b64 -F dir=/root/dir1/dir2/dir3/ -k TEST
-a always,exit -F arch=b64 -F path=/root/dir1/dir2/dir3/file1 -k TEST
-a always,exit -F arch=b64 -S unlinkat -k TEST

And I always get the same results like in watch '-w / -p w' case. There is still not enough information in the 'audit.log' file to reconstruct the full path to the deleted file.

On the other hand, the goal is to monitor events across the file system. There is no way to predict what will be deleted. Therefore, applying rules to specific directories and files seems to be the wrong way to go.

----
/Jarek.
jjozwiak (at) catalogicsoftware.com

[-- Attachment #1.2: Type: text/html, Size: 15174 bytes --]

[-- Attachment #2: Type: text/plain, Size: 107 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2023-05-04 14:51 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-04 14:51 The directory removing loses a fraction of path Jóźwiak, Jarosław

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).