search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
139 stars 37 forks source link

RFE: record the path of files accessed using the *at(2) syscalls #9

Open pcmoore opened 8 years ago

pcmoore commented 8 years ago

For the *at syscalls, can we get the path from the FD being passed as an argument to be able to reconstruct what is being accessed? (Readlink in /proc/\<pid>/fds/# shows the path, why can't this go into the record?) We may need a new auxiliary record type since this is neither the cwd or path.

WOnder93 commented 6 years ago

A prototype patchset posted to the list for discussion: https://www.redhat.com/archives/linux-audit/2018-July/msg00041.html

(@pcmoore You can assign this to me if you want :)

michael-skynorth commented 5 years ago

@WOnder93 , I want to try this patch, this also need auditd change, right ? any patches for it ?

WOnder93 commented 5 years ago

@michael-skynorth That patchset only partially solves the problem. It adds records with some information that you can use to reconstruct the full path, but you'd have to do that manually. Basically, you'd need to look at the values of the fd arguments in the SYSCALL record, translate those to paths based on the FD_PATH records and then append the corresponding relative paths from the PATH records. You'd also need to watch out for the corner case from issue #95 (but that's easy to detect).

After discussing the patchset we came to conclusion that this issue would be better resolved in a different way - ideally by providing full correct path in the PATH records. That solution doesn't need any changes in audit userspace, but will be a bit more difficult to implement. Currently there is an ongoing discussion about how exactly we want to solve the problem (see the thread related to issue #95 [1]-[5]) so it is unlikely we will have a solution before we come to an agreement on that.

[1] https://www.redhat.com/archives/linux-audit/2018-August/msg00003.html [2] https://www.redhat.com/archives/linux-audit/2018-September/msg00027.html [3] https://www.redhat.com/archives/linux-audit/2018-October/msg00103.html [4] https://www.redhat.com/archives/linux-audit/2018-November/msg00005.html [5] https://www.redhat.com/archives/linux-audit/2018-December/msg00000.html

michael-skynorth commented 5 years ago

@WOnder93 , thanks so much for the detailed response.