BUG: the name field in audit log does not have a relative path when deleting directory

[silverbullet49]

my current working directory is /home/kslee

when i execute "touch test_dir/hello", auditd fills the name field with "test_dir/hello" as shown below.

when i execute "rm -rf test_dir", auditd logs two events of removal(test_dir/hello, test_dir). i expected to have filled "test_dir/hello" in the name field , but it has only "hello" as shown below.

these pictures are result of executing "ausearch -i /var/log/audit/audit.log"

and before the "touch" and "rm -rf", I ran "auditctl -a always,exit -S all -F dir=/home -F perm=w -F uid!=0 -F key=sysmgr_write_key".

[vikman90]

Hi,

Having the same issue in Audit 2.4 (on Ubuntu 16.04) - 2.8 (on CentOS 7):

Command:

[root@centos ~]# rm-rf  /home/vagrant/test

Log fragment:

type=SYSCALL msg=audit(1568884449.796:774): arch=c000003e syscall=263 success=yes exit=0 a0=4 a1=b60528 a2=0 a3=7ffd35c21de0 items=2 ppid=2934 pid=28295 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=8 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="wazuh_fim"

type=CWD msg=audit(1568884449.796:774):  cwd="/root"

type=PATH msg=audit(1568884449.796:774): item=0 name="/root" inode=927716 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

type=PATH msg=audit(1568884449.796:774): item=1 name="file10" inode=923505 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=DELETE cap_fp=0000000000000000 

item=0 name="/root" inode=927716 matches cwd="/root" instead of /home/vagrant/test as we expect. On the other hand, 927716 is the folder /home/vagrant/test inode.

However, we see that this behavior is fixed in Audit 3.0 (on Fedora 30):

Command:

[root@fedora ~]# rm -rf /root/test/testfolder

Log fragment:

type=SYSCALL msg=audit(1568887832.792:884): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=5638459b7490 a2=30900 a3=0 items=1 ppid=2955 pid=3572 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="test"ARCH=x86_64 SYSCALL=openat AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

type=CWD msg=audit(1568887832.792:884): cwd="/root"

type=PATH msg=audit(1568887832.792:884): item=0 name="/root/test/testfolder" inode=1966090 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0OUID="root" OGID="root"

type=PROCTITLE msg=audit(1568887832.792:884): proctitle=726D002D7266002F726F6F742F746573742F707275656261

Here, we have item=0 name="/root/test/testfolder" inode=1966090, as expected.

Could you confirm this, please?

Thanks in advance. Best regards.

[pcmoore]

@vikman90 the differences across distros is likely the result of different kernels, not the audit daemon. What kernel versions are you running on each system? I'm guessing that you are running an older kernel on your Ubuntu 16.04 and CentOS 7.x systems and the Fedora 30 system has a newer kernel (with a number of audit related fixes).

[vikman90]

@pcmoore Thank you for your prompt response.

We had this issue on the following systems:

Distro	Kernel	Audit
CentOS 7	3.10.0-957.21.3.el7.x86_64	2.8.4
Ubuntu 16.04	4.15.0-62-generic	2.4.5

And it seems to work on:

Distro	Kernel	Audit
Fedora 30	5.0.9-301.fc30.x86_64	3.0

Thank you again. Best regards.

[pcmoore]

It's always hard to know exactly what is in a distro kernel, but the CentOS 7.x kernels are very old and there are likely a number of patches/fixes that are absent in those kernels which could affect the audit PATH records. The same situation exists for Ubuntu 16.04, although it is less than severe in that case.

For reference, we just released Linux v5.3 this past Sunday (September 15, 2019).