Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why does the kernel audit module not record the absolute path of the file #314

Closed
hqh2010 opened this issue Jul 27, 2023 · 7 comments
Closed

Comments

@hqh2010
Copy link

hqh2010 commented Jul 27, 2023

config of system:

uos@uos-PC:~/Desktop$ sudo auditctl -l
-w /home/uos/Desktop -p wa -k file_wa_audit
uos@uos-PC:~/Desktop$ tree test
test
└── 111.txt

0 directories, 1 file
uos@uos-PC:~/Desktop$ rm -r test

the content of /var/log/audit/audit.log

type=SYSCALL msg=audit(1690443959.176:1267): arch=c000003e syscall=263 success=yes exit=0 a0=4 a1=6888f8 a2=0 a3=fffffffffffffbbb items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit"
type=CWD msg=audit(1690443959.176:1267): cwd="/home/uos/Desktop"
type=PATH msg=audit(1690443959.176:1267): item=0 name="/home/uos/Desktop" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1690443959.176:1267): item=1 name="111.txt"
inode=1051788 dev=fe:07 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1690443959.176:1267): proctitle=726D002D720074657374

type=SYSCALL msg=audit(1690443959.176:1268): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=6874a0 a2=200 a3=100 items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit"
type=CWD msg=audit(1690443959.176:1268): cwd="/home/uos/Desktop"
type=PATH msg=audit(1690443959.176:1268): item=0 name="/home/uos/Desktop" inode=1048584 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1690443959.176:1268): item=1 name="test" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1690443959.176:1268): proctitle=726D002D720074657374

question:
the absolute path of the 111.txt is /home/uos/Desktop/test/111.txt, but we can not get absolute path of the 111.txt from audit.log

the version of kernel

uos@uos-PC:~/Desktop$ uname -a
Linux uos-PC 4.19.0-amd64-desktop #6100 SMP Thu Jul 20 13:37:54 CST 2023 x86_64 GNU/Linux
@stevegrubb
Copy link
Contributor

The ausearch utility can give you the full path. In the auparse library, this is provided by the auparse_interpret_realpath() function. This is used when you ask for output formatting to be csv or text:

NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
,SYSCALL,07/27/2023,03:45:59,1267,audit-rule,2,unknown(1000),unknown(1000),user-acct,deleted,success,/home/uos/Desktop/111.txt,1051788,file,/usr/bin/rm
,SYSCALL,07/27/2023,03:45:59,1268,audit-rule,2,unknown(1000),unknown(1000),user-acct,deleted,success,/home/uos/Desktop/test,1051911,directory,/usr/bin/rm

At 03:45:59 07/27/2023 unknown(1000) successfully deleted /home/uos/Desktop/111.txt using /usr/bin/rm
At 03:45:59 07/27/2023 unknown(1000) successfully deleted /home/uos/Desktop/test using /usr/bin/rm

@hqh2010
Copy link
Author

hqh2010 commented Jul 28, 2023

but ausearch -i can't get the real the absolute path, I want to get the absolute path of audit file, do you have any ideas? tks

auparse_interpret_realpath is like auparse_interpret_field except
that it will call realpath on the results of gluing the cwd and
file together. This also implies that it only valid to be called
for the file name given in a PATH record.

the same issue:
#231
linux-audit/audit-kernel#133

@stevegrubb
Copy link
Contributor

No, ausearch -i cannot provide the absolute path unless the open syscall was an absolute path. If the syscall was relative, then it has to be built from CWD and the PATH. This is what auparse_interpret_realpath() does. You might look at your test program with strace to see how open was called. The kernel provides information it was handed. If it is relative, it provides all the pieces to reconstruct the path. ausearch -i just interprets the raw pieces. It you want processed information, use the csv format. Or you (or chatGPT) can write a simple python program to provide the information the way you want.

@hqh2010
Copy link
Author

hqh2010 commented Jul 31, 2023

The ausearch utility can give you the full path. In the auparse library, this is provided by the auparse_interpret_realpath() function. This is used when you ask for output formatting to be csv or text:

NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW ,SYSCALL,07/27/2023,03:45:59,1267,audit-rule,2,unknown(1000),unknown(1000),user-acct,deleted,success,/home/uos/Desktop/111.txt,1051788,file,/usr/bin/rm ,SYSCALL,07/27/2023,03:45:59,1268,audit-rule,2,unknown(1000),unknown(1000),user-acct,deleted,success,/home/uos/Desktop/test,1051911,directory,/usr/bin/rm

At 03:45:59 07/27/2023 unknown(1000) successfully deleted /home/uos/Desktop/111.txt using /usr/bin/rm At 03:45:59 07/27/2023 unknown(1000) successfully deleted /home/uos/Desktop/test using /usr/bin/rm

Thank you very much for your reply.

Is there any method to obtain the full path of the file from '/var/log/audit/audit.log' besides modifying the kernel audit module?

@stevegrubb
Copy link
Contributor

The auparse_interpret_realpath() function can build the path from the piece parts. The kernel developers consider the fragmented output to be a user space problem. (They are concerned with outputting the data as fast as possible.) Most system calls are easy to reconstruct. The biggest problem is renameat because it fully involves a cwd, and 2 directory paths, and 2 files. In the simpler case, if the path is relative, call auparse_interpret_realpath to build the full path. (This implies that you are writing a program for custom reporting.) Otherwise, a simple call to auparse_interpret_field will give you the absolute path.

Aside from writing a custom report, the csv data has what you want and more. The csv format lends itself to data science techniques. You may find that better depending on your purpose.

@hqh2010
Copy link
Author

hqh2010 commented Aug 1, 2023

The auparse_interpret_realpath() function can build the path from the piece parts. The kernel developers consider the fragmented output to be a user space problem. (They are concerned with outputting the data as fast as possible.) Most system calls are easy to reconstruct. The biggest problem is renameat because it fully involves a cwd, and 2 directory paths, and 2 files. In the simpler case, if the path is relative, call auparse_interpret_realpath to build the full path. (This implies that you are writing a program for custom reporting.) Otherwise, a simple call to auparse_interpret_field will give you the absolute path.

Aside from writing a custom report, the csv data has what you want and more. The csv format lends itself to data science techniques. You may find that better depending on your purpose.

ths.

@stevegrubb
Copy link
Contributor

OK. I don't think there is much else that can be done here. If you need more assistance, reopen or better yet, ask on the mail list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants