Linux-audit Archive on lore.kernel.org
 help / color / Atom feed
* renameat2 syscall is not recorded
@ 2021-03-09 18:44 Alan Evangelista
  2021-03-10  0:17 ` Paul Moore
  2021-03-10  8:06 ` Ondrej Mosnacek
  0 siblings, 2 replies; 6+ messages in thread
From: Alan Evangelista @ 2021-03-09 18:44 UTC (permalink / raw)
  To: linux-audit

[-- Attachment #1.1: Type: text/plain, Size: 799 bytes --]

I have the following audit rule:

-a exit,always -F dir=/data -F arch=b64 -S open -S unlink -S unlinkat -S
link -S rename -S renameat S renameat2 -S chmod -S fchmod -S fchmodat -S
chown -S fchown -S fchownat -S mkdir -S rmdir -S setxattr -S lsetxattr -S
fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k filesystem_op

I straced the "mv" command to be sure it's implemented using the renameat2
syscall:

# strace mv /data/test5.txt /data/test6.txt
execve("/bin/mv", ["mv", "/data/test5.txt", "/data/test6.txt"],
0x7ffdf760a210 /* 23 vars */) = 0
(...)
renameat2(AT_FDCWD, "/data/test5.txt", AT_FDCWD, "/data/test6.txt", 0) = 0
(...)

However, I don't see any events recorded in the auditd log file when I move
files using the "mv" command. Am I doing something wrong?


Thanks in advance.

[-- Attachment #1.2: Type: text/html, Size: 1099 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: renameat2 syscall is not recorded
  2021-03-09 18:44 renameat2 syscall is not recorded Alan Evangelista
@ 2021-03-10  0:17 ` Paul Moore
  2021-03-10  8:06 ` Ondrej Mosnacek
  1 sibling, 0 replies; 6+ messages in thread
From: Paul Moore @ 2021-03-10  0:17 UTC (permalink / raw)
  To: Alan Evangelista; +Cc: linux-audit

On Tue, Mar 9, 2021 at 1:44 PM Alan Evangelista <alan.vitor@gmail.com> wrote:
>
> I have the following audit rule:
>
> -a exit,always -F dir=/data -F arch=b64 -S open -S unlink -S unlinkat -S link -S rename -S renameat S renameat2 -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S mkdir -S rmdir -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k filesystem_op
>
> I straced the "mv" command to be sure it's implemented using the renameat2 syscall:
>
> # strace mv /data/test5.txt /data/test6.txt
> execve("/bin/mv", ["mv", "/data/test5.txt", "/data/test6.txt"], 0x7ffdf760a210 /* 23 vars */) = 0
> (...)
> renameat2(AT_FDCWD, "/data/test5.txt", AT_FDCWD, "/data/test6.txt", 0) = 0
> (...)
>
> However, I don't see any events recorded in the auditd log file when I move files using the "mv" command. Am I doing something wrong?

This works for me on my test system, a few questions:

* What distro and kernel are you using?

* I'm assuming you see audit records for other SYSCALLS?

* Are you able to share the output of 'auditctl -l'?  If so, please do
if it isn't too long.

--
paul moore
www.paul-moore.com


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: renameat2 syscall is not recorded
  2021-03-09 18:44 renameat2 syscall is not recorded Alan Evangelista
  2021-03-10  0:17 ` Paul Moore
@ 2021-03-10  8:06 ` Ondrej Mosnacek
  2021-03-10 10:53   ` Alan Evangelista
  1 sibling, 1 reply; 6+ messages in thread
From: Ondrej Mosnacek @ 2021-03-10  8:06 UTC (permalink / raw)
  To: Alan Evangelista; +Cc: Linux-Audit Mailing List

On Tue, Mar 9, 2021 at 7:44 PM Alan Evangelista <alan.vitor@gmail.com> wrote:
> I have the following audit rule:
>
> -a exit,always -F dir=/data -F arch=b64 -S open -S unlink -S unlinkat -S link -S rename
> -S renameat S renameat2 -S chmod

Not sure if this is it, but there is a "-" missing before the "S"
before "renameat2".

> -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S mkdir -S rmdir -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k filesystem_op
>
> I straced the "mv" command to be sure it's implemented using the renameat2 syscall:
>
> # strace mv /data/test5.txt /data/test6.txt
> execve("/bin/mv", ["mv", "/data/test5.txt", "/data/test6.txt"], 0x7ffdf760a210 /* 23 vars */) = 0
> (...)
> renameat2(AT_FDCWD, "/data/test5.txt", AT_FDCWD, "/data/test6.txt", 0) = 0
> (...)
>
> However, I don't see any events recorded in the auditd log file when I move files using the "mv" command. Am I doing something wrong?
>
>
> Thanks in advance.
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit

-- 
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: renameat2 syscall is not recorded
  2021-03-10  8:06 ` Ondrej Mosnacek
@ 2021-03-10 10:53   ` Alan Evangelista
  2021-03-10 19:06     ` Steve Grubb
  0 siblings, 1 reply; 6+ messages in thread
From: Alan Evangelista @ 2021-03-10 10:53 UTC (permalink / raw)
  To: Ondrej Mosnacek; +Cc: Linux-Audit Mailing List

[-- Attachment #1.1: Type: text/plain, Size: 301 bytes --]

OM> Not sure if this is it, but there is a "-" missing before the "S" before
 "renameat2".

This was indeed the issue. I found our that was the issue when I ran
"auditctl -l". Thank you.

Is there any reason why augenrules and auditctl -R don't print errors to
stdout when rules parsing errors occur?

[-- Attachment #1.2: Type: text/html, Size: 728 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: renameat2 syscall is not recorded
  2021-03-10 10:53   ` Alan Evangelista
@ 2021-03-10 19:06     ` Steve Grubb
  2021-03-11 10:31       ` Alan Evangelista
  0 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2021-03-10 19:06 UTC (permalink / raw)
  To: Ondrej Mosnacek, linux-audit; +Cc: Linux-Audit Mailing List

On Wednesday, March 10, 2021 5:53:42 AM EST Alan Evangelista wrote:
> OM> Not sure if this is it, but there is a "-" missing before the "S"
> before "renameat2".
> 
> This was indeed the issue. I found our that was the issue when I ran
> "auditctl -l". Thank you.
> 
> Is there any reason why augenrules

It has no idea about the rules, it simply compiles the master list.

> and auditctl -R don't print errors to stdout when rules parsing errors
> occur?

If it's detected that the rules are in a file, they get sent to syslog because 
99.99% of the time, this is system boot or initscripts and we need to make 
the problem discoverable later by the system admin.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: renameat2 syscall is not recorded
  2021-03-10 19:06     ` Steve Grubb
@ 2021-03-11 10:31       ` Alan Evangelista
  0 siblings, 0 replies; 6+ messages in thread
From: Alan Evangelista @ 2021-03-11 10:31 UTC (permalink / raw)
  To: Steve Grubb; +Cc: Linux-Audit Mailing List

[-- Attachment #1.1: Type: text/plain, Size: 1663 bytes --]

AE>  Is there any reason why (...) auditctl -R don't print errors to stdout
when rules parsing errors occur?

SG> If it's detected that the rules are in a file, they get sent to syslog
because
     > 99.99% of the time, this is system boot or initscripts and we need
to make
     > the problem discoverable later by the system admin.

I assume you meant "if it's detected that there are errors in the rules in
a rules file".
IMHO the stream to which errors are output (syslog or stdout) should be
configurable,
as it is *very* confusing to run auditctl -R manually and get no errors
when there is an
error in rules parsing. It forces the user to always run "auditctl -R" and
"auditctl -l" to check
if the rules are indeed active, which is not intuitive at all. Regarding
the initscript use case,
I think it's also very common to use "auditctl -R" while creating new audit
rules.

On Wed, Mar 10, 2021 at 4:06 PM Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, March 10, 2021 5:53:42 AM EST Alan Evangelista wrote:
> > OM> Not sure if this is it, but there is a "-" missing before the "S"
> > before "renameat2".
> >
> > This was indeed the issue. I found our that was the issue when I ran
> > "auditctl -l". Thank you.
> >
> > Is there any reason why augenrules
>
> It has no idea about the rules, it simply compiles the master list.
>
> > and auditctl -R don't print errors to stdout when rules parsing errors
> > occur?
>
> If it's detected that the rules are in a file, they get sent to syslog
> because
> 99.99% of the time, this is system boot or initscripts and we need to make
> the problem discoverable later by the system admin.
>
> -Steve
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 2327 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-09 18:44 renameat2 syscall is not recorded Alan Evangelista
2021-03-10  0:17 ` Paul Moore
2021-03-10  8:06 ` Ondrej Mosnacek
2021-03-10 10:53   ` Alan Evangelista
2021-03-10 19:06     ` Steve Grubb
2021-03-11 10:31       ` Alan Evangelista

Linux-audit Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-audit/0 linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ https://lore.kernel.org/linux-audit \
		linux-audit@redhat.com
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.redhat.linux-audit


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git