option --extra-obj2 does not seem to work

Mon Apr 8 00:39:27 UTC 2019

On Sun, Apr 7, 2019 at 4:22 AM Steve Grubb <sgrubb at redhat.com> wrote:
> On Fri, 5 Apr 2019 16:30:32 +0200
> "Ondra N." <ondrysak at gmail.com> wrote:
> > it seems that the option fails to display the second object for rename
> > action.
>
> To catch everyone up, it turns out this is audit-2.8.4 and kernel
> 3.10.0-957.el7.x86_64.

Ondra, I'm not sure if you have any more recent kernels running, but
have you seen the same issue on other kernel/userspace combinations?

> > interactive format correctly show renaming the file
> > 5M2w0d4eagxxig9KYM5.file to DyTbnH12dMV1nQsOxU.file
> >
> > ausearch -k test-ra -i
> >
> > type=PROCTITLE msg=audit(04/05/2019 13:57:22.489:110873) :
> > proctitle=python3 populate_fs.py rename
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=3
> > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/DyTbnH12dMV1nQsOxU.file
> > inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> > objtype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
>
> There seems to be a missing DELETE path record here. What I see on my
> system is 2 PARENT records, 2 DELETE records, and 1 CREATE record. The
> two parents is for both items (obj1 & obj2). Then both objects get
> deleted, and we are left with 1 object being created. This last create
> record is what OBJ2 would be. Without the second DELETE, we wind
> up on the wrong record looking for 'name'.
>
> Looking at the inodes, what is missing is the DELETE for the inode that
> is being replaced with the tmp copy. Funny thing is, this works fine
> for me on the same user space and kernel.
>
> Can you pass along a simplified reproducer? Shell script would be
> preferred.
>
> Thanks,
> -Steve
>
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=2
> > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file
> > inode=184553858 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00
> > objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=1
> > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> > inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> > objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=PATH msg=audit(04/05/2019 13:57:22.489:110873) : item=0
> > name=/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/
> > inode=184554064 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00
> > objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> > type=CWD msg=audit(04/05/2019 13:57:22.489:110873) :
> > cwd=/push_agent/src/main/python/scripts
> > type=SYSCALL msg=audit(04/05/2019 13:57:22.489:110873) : arch=x86_64
> > syscall=rename success=yes exit=0 a0=0x7f3259691b78 a1=0x7f3259691d70
> > a2=0xffffffff a3=0x7f3263f160e0 items=4 ppid=27421 pid=7653 auid=root
> > uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> > fsgid=root tty=pts1 ses=5549 comm=python3
> > exe=/opt/rh/rh-python36/root/usr/bin/python3.6 key=test-ra
> >
> > but csv format shows just empty column where the info about the
> > object2 should be.
> >
> > ausearch -k test-ra --format csv --extra-obj2
> >
> > ,SYSCALL,04/05/2019,13:57:22,110873,audit-rule,5549,root,root,priviliged-acct,renamed,success,/tmp/rnd_pop/I2wt8yFylHdNJdX8/sesvPVcmFUDDBp1Pc/5yqohyxiGYwSzXwYRN2/93qyvIU9V2O8dsDXSdQP/csE7ryqvCWMBd8ASyJ3e/5M2w0d4eagxxig9KYM5.file,184553858,,file,/opt/rh/rh-python36/root/usr/bin/python3.6
> >
> > is this desired behaviour?

-- 
paul moore
www.paul-moore.com