pcmoore
commented
6 months ago This looks to be a duplicate of https://github.com/linux-audit/audit-kernel/issues/94, I'm going to close this as a DUP, but if you feel this is a different issue please feel free to re-open the issue - thanks!
I have this 2 rules in audit: `-a always,exit -S all -F dir=/var/tmp/dir_5 -F perm=r -F auid!=-1 -F key=ccaaaaab-ffff-ffff-ffd7-77e1c9f7b544' '-w /var/tmp/dir_5 -p wa -k ccaaaaab-ffff-ffff-ffd7-77e1c9f7b544'
Inside the /var/tmp/dir_5, there is one symlink "thislink" pointing to this directory " /home/nid/tests/nidhinsdir"
When touched a file using the symlink path, I am getting an audit event (touch /var/tmp/dir_5/thislink/nid)
type=PROCTITLE msg=audit(02/14/2024 15:31:36.054:49556672) : proctitle=touch /var/tmp/dir_5/thislink/nidtype=PATH msg=audit(02/14/2024 15:31:36.054:49556672) : item=1 name=/var/tmp/dir_5/thislink/nid inode=201473493 dev=fd:00 mode=file,664 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0type=PATH msg=audit(02/14/2024 15:31:36.054:49556672) : item=0 name=/var/tmp/dir_5/thislink/ inode=201473481 dev=fd:00 mode=dir,775 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0type=CWD msg=audit(02/14/2024 15:31:36.054:49556672) : cwd=/home/nidtype=SYSCALL msg=audit(02/14/2024 15:31:36.054:49556672) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7ffcb3c225ac a1=O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK a2=0666 a3=0x7ffcb3c1fd20 items=2 ppid=6632 pid=12136 auid=nid uid=nid gid=nid euid=nid suid=nid fsuid=nid egid=nid sgid=nid fsgid=nid tty=pts0 ses=307 comm=touch exe=/usr/bin/touch subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key={17032022-4b51-405d-87af-9eb3db337dfd}But when I cat the same file I do not get any events (cat /var/tmp/dir_5/thislink/nid)