Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: audit log #148

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Conversation

hqh2010
Copy link

@hqh2010 hqh2010 commented Jul 28, 2023

fix:audit.log can't record correctly when rm the dir end with '/'

step:

  1. mkdir test

  2. touch test/111.txt

  3. rm -r test/

Log:

type=PATH msg=audit(1690506313.361:2505): item=1 name=(null) inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0

type=PATH msg=audit(1690506313.361:2505): item=2 name=(null) inode=1049384 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0

Change-Id: I6b242a062ced1e3db129b9b9e5f155c681561c2a

pcmoore and others added 2 commits June 26, 2023 12:00
fix:audit.log can't record correctly when rm the dir end with '/'

step:

1. mkdir test

2. touch test/111.txt

3. rm -r test/

Log:

type=PATH msg=audit(1690506313.361:2505): item=1 name=(null) inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0

type=PATH msg=audit(1690506313.361:2505): item=2 name=(null) inode=1049384 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0

Change-Id: I6b242a062ced1e3db129b9b9e5f155c681561c2a
@pcmoore pcmoore changed the title Influence: audit log BUG: audit log Jul 28, 2023
@pcmoore
Copy link
Contributor

pcmoore commented Jul 28, 2023

Hi @hqh2010, thanks for debugging this and submitting a PR! I haven't had a chance to properly review it, but we generally ask for Linux Kernel patches to be sent via the Linux Audit mailing list at [email protected].

Are you familiar with the Linux Kernel patch submission process? If not, there is a document which goes into detail on the process (link below). If you have any questions I'm happy to help.

@pcmoore
Copy link
Contributor

pcmoore commented Feb 14, 2024

Hi @hqh2010, I just wanted to check to see if you are going to be able to submit this to the audit mailing list? If not, can we at least get your sign-off on the commit/PR?

@hqh2010
Copy link
Author

hqh2010 commented Feb 27, 2024 via email

@Avenger-285714
Copy link
Contributor

Hi @pcmoore ,

I'm writing to you on behalf of my former colleague, @hqh2010 , who reported a bug in kernel audit.

The bug was discovered when a customer called the kernel audit function in UnionTechOS distribution.

@hqh2010 has since left Uniontech, but I will improve this bugfix patch and send it to the audit subsystem mailing list as soon as possible.

And will also include @hqh2010 's name in the commit msg.

Thanks for your time.

Best regards,

WangYuli.
[email protected]

@pcmoore
Copy link
Contributor

pcmoore commented Feb 28, 2024

That would be great, thank you @Avenger-285714 (and @hqh2010)!

@ramzcode
Copy link

@pcmoore Exactly same behavior on RHEL 8.7 as well with audit-3.0.7-4.el8.x86_64 and 4.18.0-425.13.1.el8_7.x86_64, Is there any workaround to get it sorted?

@pcmoore
Copy link
Contributor

pcmoore commented Apr 19, 2024

Hi @ramzcode, last I saw @Avenger-285714 was planning to submit a kernel patch to address the problem so I was waiting on that to happen. If @Avenger-285714 is not able or willing to post a patch we can look into alternate ways to submit and discuss the patch upstream.

However, as you are mentioning RHEL, you may want to contact your IBM/RH support team to look for an answer. We do not support RHEL kernels in this GitHub.

@pcmoore pcmoore force-pushed the main branch 3 times, most recently from 7bbb771 to 6484839 Compare September 18, 2024 10:48
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Nov 5, 2024
When the user specifies a directory to delete with the suffix '/',
the audit record fails to collect the filename, resulting in the
following logs:

 type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null)
 type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null)

It happens because the value of the variables dname, and n->name->name
in __audit_inode_child() differ only by the suffix '/'. This commit
treats this corner case by cleaning the input and passing the correct
filename to audit_compare_dname_path().

Steps to reproduce the issue:

 # auditctl -w /tmp
 $ mkdir /tmp/foo
 $ rm -r /tmp/foo/ or rmdir /tmp/foo/
 # ausearch -i | grep PATH | tail -3

This patch is based on a GitHub patch/PR by user @hqh2010.
linux-audit/audit-kernel#148

Signed-off-by: Ricardo Robaina <[email protected]>
@rprobaina
Copy link

Just for the record, this issue/PR is been addressed upstream via [PATCH v2] audit: fix suffixed '/' filename matching in __audit_inode_child()

intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Nov 25, 2024
When the user specifies a directory to delete with the suffix '/',
the audit record fails to collect the filename, resulting in the
following logs:

 type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null)
 type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null)

It happens because the value of the variables dname, and n->name->name
in __audit_inode_child() differ only by the suffix '/'. This commit
treats this corner case by handling pathname's trailing slashes in
audit_compare_dname_path().

Steps to reproduce the issue:

 # auditctl -w /tmp
 $ mkdir /tmp/foo
 $ rm -r /tmp/foo/
 # ausearch -i | grep PATH | tail -3

The first version of this patch was based on a GitHub patch/PR by
user @hqh2010 [1].

Link: linux-audit/audit-kernel#148 [1]

Suggested-by: Paul Moore <[email protected]>
Reviewed-by: Richard Guy Briggs <[email protected]>
Reviewed-by: Al Viro <[email protected]>
Signed-off-by: Ricardo Robaina <[email protected]>
pcmoore pushed a commit that referenced this pull request Dec 6, 2024
When the user specifies a directory to delete with the suffix '/',
the audit record fails to collect the filename, resulting in the
following logs:

 type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null)
 type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null)

It happens because the value of the variables dname, and n->name->name
in __audit_inode_child() differ only by the suffix '/'. This commit
treats this corner case by handling pathname's trailing slashes in
audit_compare_dname_path().

Steps to reproduce the issue:

 # auditctl -w /tmp
 $ mkdir /tmp/foo
 $ rm -r /tmp/foo/
 # ausearch -i | grep PATH | tail -3

The first version of this patch was based on a GitHub patch/PR by
user @hqh2010 [1].

Link: #148 [1]

Suggested-by: Paul Moore <[email protected]>
Signed-off-by: Ricardo Robaina <[email protected]>
[PM: subject tweak, trim old metadata]
Signed-off-by: Paul Moore <[email protected]>
staging-kernelci-org pushed a commit to kernelci/linux that referenced this pull request Dec 9, 2024
When the user specifies a directory to delete with the suffix '/',
the audit record fails to collect the filename, resulting in the
following logs:

 type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null)
 type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null)

It happens because the value of the variables dname, and n->name->name
in __audit_inode_child() differ only by the suffix '/'. This commit
treats this corner case by handling pathname's trailing slashes in
audit_compare_dname_path().

Steps to reproduce the issue:

 # auditctl -w /tmp
 $ mkdir /tmp/foo
 $ rm -r /tmp/foo/
 # ausearch -i | grep PATH | tail -3

The first version of this patch was based on a GitHub patch/PR by
user @hqh2010 [1].

Link: linux-audit/audit-kernel#148 [1]

Suggested-by: Paul Moore <[email protected]>
Signed-off-by: Ricardo Robaina <[email protected]>
Reviewed-by: Richard Guy Briggs <[email protected]>
[PM: subject tweak, trim old metadata]
Signed-off-by: Paul Moore <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants