Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: audit log #148

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

BUG: audit log #148

wants to merge 2 commits into from

Conversation

hqh2010
Copy link

@hqh2010 hqh2010 commented Jul 28, 2023

fix:audit.log can't record correctly when rm the dir end with '/'

step:

  1. mkdir test

  2. touch test/111.txt

  3. rm -r test/

Log:

type=PATH msg=audit(1690506313.361:2505): item=1 name=(null) inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0

type=PATH msg=audit(1690506313.361:2505): item=2 name=(null) inode=1049384 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0

Change-Id: I6b242a062ced1e3db129b9b9e5f155c681561c2a

pcmoore and others added 2 commits June 26, 2023 12:00
@pcmoore
audit: add a Linux Audit specific README.md and SECURITY.md
120548d 
DO NOT SUBMIT UPSTREAM
@hqh2010
Influence: audit log
a3f0ed3 
fix:audit.log can't record correctly when rm the dir end with '/'

step:

1. mkdir test

2. touch test/111.txt

3. rm -r test/

Log:

type=PATH msg=audit(1690506313.361:2505): item=1 name=(null) inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0

type=PATH msg=audit(1690506313.361:2505): item=2 name=(null) inode=1049384 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0

Change-Id: I6b242a062ced1e3db129b9b9e5f155c681561c2a
@pcmoore pcmoore changed the title Influence: audit log BUG: audit log Jul 28, 2023
@pcmoore
Copy link
Contributor

pcmoore commented Jul 28, 2023

Hi @hqh2010, thanks for debugging this and submitting a PR! I haven't had a chance to properly review it, but we generally ask for Linux Kernel patches to be sent via the Linux Audit mailing list at [email protected].

Are you familiar with the Linux Kernel patch submission process? If not, there is a document which goes into detail on the process (link below). If you have any questions I'm happy to help.

@hqh2010 hqh2010 mentioned this pull request Jul 28, 2023
Closed
@pcmoore
Copy link
Contributor

pcmoore commented Feb 14, 2024

Hi @hqh2010, I just wanted to check to see if you are going to be able to submit this to the audit mailing list? If not, can we at least get your sign-off on the commit/PR?

@hqh2010
Copy link
Author

hqh2010 commented Feb 27, 2024 via email

@Avenger-285714
Copy link
Contributor

Hi @pcmoore ,

I'm writing to you on behalf of my former colleague, @hqh2010 , who reported a bug in kernel audit.

The bug was discovered when a customer called the kernel audit function in UnionTechOS distribution.

@hqh2010 has since left Uniontech, but I will improve this bugfix patch and send it to the audit subsystem mailing list as soon as possible.

And will also include @hqh2010 's name in the commit msg.

Thanks for your time.

Best regards,

WangYuli.
[email protected]

@pcmoore
Copy link
Contributor

pcmoore commented Feb 28, 2024

That would be great, thank you @Avenger-285714 (and @hqh2010)!

@ramzcode
Copy link

@pcmoore Exactly same behavior on RHEL 8.7 as well with audit-3.0.7-4.el8.x86_64 and 4.18.0-425.13.1.el8_7.x86_64, Is there any workaround to get it sorted?

@pcmoore
Copy link
Contributor

pcmoore commented Apr 19, 2024

Hi @ramzcode, last I saw @Avenger-285714 was planning to submit a kernel patch to address the problem so I was waiting on that to happen. If @Avenger-285714 is not able or willing to post a patch we can look into alternate ways to submit and discuss the patch upstream.

However, as you are mentioning RHEL, you may want to contact your IBM/RH support team to look for an answer. We do not support RHEL kernels in this GitHub.

intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Nov 5, 2024
@rprobaina @intel-lab-lkp
audit: fix suffixed '/' filename matching in __audit_inode_child()
bdd481f 
When the user specifies a directory to delete with the suffix '/',
the audit record fails to collect the filename, resulting in the
following logs:

 type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=2 name=(null)
 type=PATH msg=audit(10/30/2024 14:11:17.796:6304) : item=1 name=(null)

It happens because the value of the variables dname, and n->name->name
in __audit_inode_child() differ only by the suffix '/'. This commit
treats this corner case by cleaning the input and passing the correct
filename to audit_compare_dname_path().

Steps to reproduce the issue:

 # auditctl -w /tmp
 $ mkdir /tmp/foo
 $ rm -r /tmp/foo/ or rmdir /tmp/foo/
 # ausearch -i | grep PATH | tail -3

This patch is based on a GitHub patch/PR by user @hqh2010.
linux-audit/audit-kernel#148

Signed-off-by: Ricardo Robaina <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug pending/revision priority/medium
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hqh2010 @pcmoore @Avenger-285714 @ramzcode