search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
137 stars 36 forks source link

BUG: auditd does not generate audit message when PATH cannot be resolved #118

Open johntolson opened 4 years ago

johntolson commented 4 years ago

When the path for an auditd event cannot be resolved, it currently does not generate an audit message. This should be changed so that even when a full PATH record cannot be generated with file attributes, an abbreviated one can be generated. For those that use the audit service for security monitoring, this is a big security hole.

An example of the problem follows (and provides an easy re-create): I have the following 2 audit rules set up:

-a always,exit -F arch=b64 -S all -F exit=-EACCES -F dir=/gpfs/fs1 -a always,exit -F arch=b64 -S all -F exit=-EPERM -F dir=/gpfs/fs1

I have a directory structure like the following:

(13:15:26) zippleback-vm1:~ # ls -la /gpfs/fs1/test/
total 257
drwx------.  3 root root   4096 Nov  7 12:46 .
drwxr-xr-x. 15 root root 262144 Nov  7 12:50 ..
drwx------.  2 root root   4096 Nov  7 12:46 test2

Essentially, directory "/gpfs/fs1/test/" is owned by root and has permissions 700. The subdirectory underneath it (with path /gpfs/fs1/test/test2) is also owned by root and has permissions 700.

When I have a non-root user attempt to list the contents of directory "/gpfs/fs1/test/" I receive an audit message for the denied access. However, when the non-root user attempts to list the contents of the subdirectory (/gpfs/fs1/test/test2), there is no audit message generated. In the second case where no audit message is generated, it is because the full path is not available. In this case an audit message should still be created if it even contains just a partial path.

pcmoore commented 4 years ago

NOTE: I edited the original posting to make the directory structure example a fixed-width font code block for readability; the contents were not changed in any way.

Gentser commented 8 months ago

Greetings! @pcmoore , what do you mean by saying "it is because the full path is not available"?

I experienced the same problem. And, as I suppose, in your case should be generated audit event with object "/gpfs/fs1/test", as it is the part of the path to target directory "/gpfs/fs1/test/test2" that is attempted to be accessed. But it's not sent either

pcmoore commented 8 months ago

Greetings! @pcmoore , what do you mean by saying "it is because the full path is not available"?

I did not say that, the original poster did in their initial report (see above).