linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

Q: why does the kernel audit module not record the absolute path of the file #147

Closed hqh2010 closed 1 year ago

hqh2010 commented 1 year ago

config of system:

uos@uos-PC:~/Desktop$ sudo auditctl -l
-w /home/uos/Desktop -p wa -k file_wa_audit
uos@uos-PC:~/Desktop$ tree test
test
└── 111.txt

0 directories, 1 file
uos@uos-PC:~/Desktop$ rm -r test

the content of /var/log/audit/audit.log

type=SYSCALL msg=audit(1690443959.176:1267): arch=c000003e syscall=263 success=yes exit=0 a0=4 a1=6888f8 a2=0 a3=fffffffffffffbbb items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit" type=CWD msg=audit(1690443959.176:1267): cwd="/home/uos/Desktop" type=PATH msg=audit(1690443959.176:1267): item=0 name="/home/uos/Desktop" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1690443959.176:1267): item=1 name="111.txt" inode=1051788 dev=fe:07 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1690443959.176:1267): proctitle=726D002D720074657374

type=SYSCALL msg=audit(1690443959.176:1268): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=6874a0 a2=200 a3=100 items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit" type=CWD msg=audit(1690443959.176:1268): cwd="/home/uos/Desktop" type=PATH msg=audit(1690443959.176:1268): item=0 name="/home/uos/Desktop" inode=1048584 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1690443959.176:1268): item=1 name="test" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1690443959.176:1268): proctitle=726D002D720074657374

question: the absolute path of the 111.txt is /home/uos/Desktop/test/111.txt, but we can not get absolute path of the 111.txt from audit.log

the version of kernel

uos@uos-PC:~/Desktop$ uname -a
Linux uos-PC 4.19.0-amd64-desktop #6100 SMP Thu Jul 20 13:37:54 CST 2023 x86_64 GNU/Linux
pcmoore commented 1 year ago

There are two audit records in that single audit event, which when combined provide the full path to the file.

The first audit record indicates the parent directory:

type=PATH msg=audit(1690443959.176:1267): item=0 name="/home/uos/Desktop" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

... and the second indicates the file being deleted:

type=PATH msg=audit(1690443959.176:1267): item=1 name="111.txt" inode=1051788 dev=fe:07 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
pcmoore commented 1 year ago

The above response should answer your question so I'm going to close this issue, but if you have any additional follow-up questions please feel free to reopen this issue.

hqh2010 commented 1 year ago

The above response should answer your question so I'm going to close this issue, but if you have any additional follow-up questions please feel free to reopen this issue.

question: Yes, there are two records, the serial of each one is the same, but how can we see the parent of '111.txt' is 'test' dir ?

Take the following scenario:

step:

  1. mkdir test
  2. touch test/111.txt
  3. touch 111.txt
  4. rm -r test 111.txt

the log are as follows:

type=SYSCALL msg=audit(1690509108.655:2625): arch=c000003e syscall=263 success=yes exit=0 a0=4 a1=55bbbf8bda58 a2=0 a3=200 items=2 ppid=86610 pid=89214 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts9 ses=3 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="file_wa_audit"ARCH=x86_64 SYSCALL=unlinkat AUID="uos" UID="uos" GID="uos" EUID="uos" SUID="uos" FSUID="uos" EGID="uos" SGID="uos" FSGID="uos" type=CWD msg=audit(1690509108.655:2625): cwd="/home/uos/Desktop" type=PATH msg=audit(1690509108.655:2625): item=0 name="/home/uos/Desktop" inode=1049529 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="uos" OGID="uos" type=PATH msg=audit(1690509108.655:2625): item=1 name="111.txt" inode=1049530 dev=fc:03 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="uos" OGID="uos" type=PROCTITLE msg=audit(1690509108.655:2625): proctitle=726D002D720074657374003131312E747874 type=SYSCALL msg=audit(1690509108.655:2626): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55bbbf8bc4e0 a2=200 a3=200 items=2 ppid=86610 pid=89214 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts9 ses=3 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="file_wa_audit"ARCH=x86_64 SYSCALL=unlinkat AUID="uos" UID="uos" GID="uos" EUID="uos" SUID="uos" FSUID="uos" EGID="uos" SGID="uos" FSGID="uos" type=CWD msg=audit(1690509108.655:2626): cwd="/home/uos/Desktop" type=PATH msg=audit(1690509108.655:2626): item=0 name="/home/uos/Desktop" inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="uos" OGID="uos" type=PATH msg=audit(1690509108.655:2626): item=1 name="test" inode=1049529 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="uos" OGID="uos" type=PROCTITLE msg=audit(1690509108.655:2626): proctitle=726D002D720074657374003131312E747874 type=SYSCALL msg=audit(1690509108.655:2627): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=55bbbf8bc4e0 a2=0 a3=200 items=2 ppid=86610 pid=89214 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts9 ses=3 comm="rm" exe="/usr/bin/rm" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="file_wa_audit"ARCH=x86_64 SYSCALL=unlinkat AUID="uos" UID="uos" GID="uos" EUID="uos" SUID="uos" FSUID="uos" EGID="uos" SGID="uos" FSGID="uos" type=CWD msg=audit(1690509108.655:2627): cwd="/home/uos/Desktop" type=PATH msg=audit(1690509108.655:2627): item=0 name="/home/uos/Desktop" inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="uos" OGID="uos" type=PATH msg=audit(1690509108.655:2627): item=1 name="111.txt" inode=1049531 dev=fc:03 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="uos" OGID="uos" type=PROCTITLE msg=audit(1690509108.655:2627): proctitle=726D002D720074657374003131312E747874

the same issue: https://github.com/linux-audit/audit-kernel/issues/133

pcmoore commented 1 year ago

Yes, there are two records, the serial of each one is the same, but how can we see the parent of '111.txt' is 'test' dir ?

When comparing timestamps to group audit records into a single audit event, you need to consider the full timestamp and not just everything before the period. For example, given a timestamp of 1690509108.655:2625, comparing just the 1690509108 portion is incorrect, one must compare the full string of 1690509108.655:2625.

With that in mind, in the first audit event, in the audit stream shown above each audit event that contains PATH records contains two PATH records; one is marked as a PARENT (nametype=PARENT) and one is marked as DELETE (nametype=DELETE). The PARENT record is the parent directory, and the DELETE record is the file being deleted.

the same issue: #133

Issue #133 is unrelated to this issue.

hqh2010 commented 1 year ago

type=SYSCALL msg=audit(1690443959.176:1267): arch=c000003e syscall=263 success=yes exit=0 a0=4 a1=6888f8 a2=0 a3=fffffffffffffbbb items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit" type=CWD msg=audit(1690443959.176:1267): cwd="/home/uos/Desktop" type=PATH msg=audit(1690443959.176:1267): item=0 name="/home/uos/Desktop" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1690443959.176:1267): item=1 name="111.txt" inode=1051788 dev=fe:07 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1690443959.176:1267): proctitle=726D002D720074657374

type=SYSCALL msg=audit(1690443959.176:1268): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=6874a0 a2=200 a3=100 items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit" type=CWD msg=audit(1690443959.176:1268): cwd="/home/uos/Desktop" type=PATH msg=audit(1690443959.176:1268): item=0 name="/home/uos/Desktop" inode=1048584 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1690443959.176:1268): item=1 name="test" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1690443959.176:1268): proctitle=726D002D720074657374

tks.
the record is one by one, the absolute path of the file should consider the all records, it seems unreasonable, and cant not get the absolute path of the file clearly.

log:

type=SYSCALL msg=audit(1690443959.176:1267): arch=c000003e syscall=263 success=yes exit=0 a0=4 a1=6888f8 a2=0 a3=fffffffffffffbbb items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit" type=CWD msg=audit(1690443959.176:1267): cwd="/home/uos/Desktop" type=PATH msg=audit(1690443959.176:1267): item=0 name="/home/uos/Desktop" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1690443959.176:1267): item=1 name="111.txt" inode=1051788 dev=fe:07 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1690443959.176:1267): proctitle=726D002D720074657374

type=SYSCALL msg=audit(1690443959.176:1268): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=6874a0 a2=200 a3=100 items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit" type=CWD msg=audit(1690443959.176:1268): cwd="/home/uos/Desktop" type=PATH msg=audit(1690443959.176:1268): item=0 name="/home/uos/Desktop" inode=1048584 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1690443959.176:1268): item=1 name="test" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1690443959.176:1268): proctitle=726D002D720074657374

the parent dir of '111.txt' is not '/home/uos/Desktop'

https://github.com/linux-audit/audit-userspace/issues/231

Author dreamtale90 commented on Dec 24, 2021 @stevegrubb Thank you very much for your reply. I may not express the problem clearly. Just as you mentioned, I am now using the auparse library to parse the audit event, my problem is how to get an absolute path information of the operational file. Take the rename mentioned earlier, Item0's name is directory of 234.txt, Item1's name is directory of 345.txt, Item2's name is file name of 234.txt, Item3's name is file name of 345.txt. So, the absolute path of 234.txt can be obtained by Item0 and Item2, Item1 and Item3 can get absolute path of 345.txt. But the number of Items in the second log is much more, how can I get the absolute path of the file? Refer to the NameType field? I am not sure if there is still other possible situations. I hope to get better advice.

pcmoore commented 1 year ago

the parent dir of '111.txt' is not '/home/uos/Desktop'

Ah, okay, I thought this was focused on the multiple PATH records per event, I wasn't looking so much as to what was recorded in the PARENT PATH record, I was focusing on trying to explain the multiple records.

Regardless, if you are concerned about the issue represented in issue #133, follow up in that issue so we don't duplicate it here.

hqh2010 commented 1 year ago

Thank you very much for your reply.

Do you think kernel audit module should record the full path of file? if not, what's your opinion?

pcmoore commented 1 year ago

When deleting the file I believe recording the parent in one record, and the file, in another record - all within a single audit event - is sufficient for logging purposes.