pcmoore
commented
7 years ago Doing this would require a lot of syscall specific code. I'm not saying "no", but this is extremely low priority.
Open stevegrubb opened 7 years ago
pcmoore
commented
7 years ago Doing this would require a lot of syscall specific code. I'm not saying "no", but this is extremely low priority.
In some cases, a path record is not included in an event because the end item cannot be resolved due to permissions. Meanwhile, the path as a string is usually pointed to by a0 or a1. Since a fully formed PATH record cannot be written to include things like mode and owner, we should just record the path name in its own record which only includes the path.
An example of an event that could be augmented is as follows:
node=x2 type=PROCTITLE msg=audit(08/01/2017 07:19:37.240:52) : proctitle=/usr/lib/systemd/systemd-journald node=x2 type=SYSCALL msg=audit(08/01/2017 07:19:37.240:52) : arch=x86_64 syscall=access success=no exit=ENOENT(No such file or directory) a0=0x7f6ae79effc8 a1=F_OK a2=0x7f6ae7bf8360 a3=0x67c40391d0 items=0 ppid=1 pid=533 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null) node=x2 type=AVC msg=audit(08/01/2017 07:19:37.240:52) : avc: denied { read } for pid=533 comm=systemd-journal name=run dev="nvme0n1p2" ino=2228227 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=1
Access provides the path as a string pointed to by a0. Another example:
node=x2 type=PROCTITLE msg=audit(08/01/2017 07:19:37.732:64) : proctitle=/sbin/alsactl -E ALSA_CONFIG_PATH=/etc/alsa/alsactl.conf --initfile=/lib/alsa/init/00main nrestore /dev/snd/controlC0 node=x2 type=SYSCALL msg=audit(08/01/2017 07:19:37.732:64) : arch=x86_64 syscall=open success=no exit=ENOENT(No such file or directory) a0=0xbcf9930f71 a1=O_RDWR a2=0x7ffd78568b7b a3=0x69 items=0 ppid=610 pid=718 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=alsactl exe=/usr/sbin/alsactl subj=system_u:system_r:alsa_t:s0-s0:c0.c1023 key=(null) node=x2 type=AVC msg=audit(08/01/2017 07:19:37.732:64) : avc: denied { read } for pid=718 comm=alsactl name=lock dev="nvme0n1p2" ino=2228226 scontext=system_u:system_r:alsa_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=lnk_file permissive=1
The file name is pointed to by a0.