BUG: audit log - Githubissues

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git

Other

137 stars 36 forks source link

BUG: audit log #148

Open hqh2010 opened 1 year ago

hqh2010 commented 1 year ago

fix:audit.log can't record correctly when rm the dir end with '/'

step:

mkdir test
touch test/111.txt
rm -r test/

Log:

type=PATH msg=audit(1690506313.361:2505): item=1 name=(null) inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0

type=PATH msg=audit(1690506313.361:2505): item=2 name=(null) inode=1049384 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0

Change-Id: I6b242a062ced1e3db129b9b9e5f155c681561c2a

pcmoore commented 1 year ago

Hi @hqh2010, thanks for debugging this and submitting a PR! I haven't had a chance to properly review it, but we generally ask for Linux Kernel patches to be sent via the Linux Audit mailing list at audit@vger.kernel.org.

Are you familiar with the Linux Kernel patch submission process? If not, there is a document which goes into detail on the process (link below). If you have any questions I'm happy to help.

https://docs.kernel.org/process/submitting-patches.html

pcmoore commented 6 months ago

Hi @hqh2010, I just wanted to check to see if you are going to be able to submit this to the audit mailing list? If not, can we at least get your sign-off on the commit/PR?

hqh2010 commented 6 months ago

I'am sorry, I can't submit this pr, you can submit this pr instead, tks.

At 2024-02-15 00:05:48, "Paul Moore" @.***> wrote:

Hi @hqh2010, I just wanted to check to see if you are going to be able to submit this to the audit mailing list? If not, can we at least get your sign-off on the commit/PR?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

Avenger-285714 commented 6 months ago

Hi @pcmoore ,

I'm writing to you on behalf of my former colleague, @hqh2010 , who reported a bug in kernel audit.

The bug was discovered when a customer called the kernel audit function in UnionTechOS distribution.

@hqh2010 has since left Uniontech, but I will improve this bugfix patch and send it to the audit subsystem mailing list as soon as possible.

And will also include @hqh2010 's name in the commit msg.

Thanks for your time.

Best regards,

WangYuli. wangyuli@uniontech.com

pcmoore commented 6 months ago

That would be great, thank you @Avenger-285714 (and @hqh2010)!

ramzcode commented 4 months ago

@pcmoore Exactly same behavior on RHEL 8.7 as well with audit-3.0.7-4.el8.x86_64 and 4.18.0-425.13.1.el8_7.x86_64, Is there any workaround to get it sorted?

pcmoore commented 4 months ago

Hi @ramzcode, last I saw @Avenger-285714 was planning to submit a kernel patch to address the problem so I was waiting on that to happen. If @Avenger-285714 is not able or willing to post a patch we can look into alternate ways to submit and discuss the patch upstream.

However, as you are mentioning RHEL, you may want to contact your IBM/RH support team to look for an answer. We do not support RHEL kernels in this GitHub.