You are not logged in.
This is a somewhat strange issue I ran into and I would be grateful if anyone can help clear this one up:
my /etc/auditd/rules.d/audit.rules has the following content:
# Delete all previous rules
-D
# Set buffer size
-b 8192
# test1
-w /usr/local/testfile -k test1
# test2
-w /root/testfile -k test2
# test3
-w /etc/testfile -k test3
# test4
-w /home/testfile -k test4auditctl -l
-w /usr/local/testfile -p rwxa -k test1
-w /root/testfile -p rwxa -k test2
-w /etc/testfile -p rwxa -k test3
-w /home/testfile -p rwxa -k test4However, when I open any of these files, only test1 and test3 appears in the audit log
# nano /usr/local/testfile
# nano /root/testfile
# nano /etc/testfile
# nano /home/testfile
time->Sun Mar 20 12:50:29 2022
type=PROCTITLE msg=audit(1647777029.223:58): proctitle=6E616E6F002F7573722F6C6F63616C2F7465737466696C65
type=PATH msg=audit(1647777029.223:58): item=1 name="/usr/local/testfile" inode=1205640 dev=08:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1647777029.223:58): item=0 name="/usr/local/" inode=1179649 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1647777029.223:58): cwd="/root"
type=SYSCALL msg=audit(1647777029.223:58): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=6a35f6cbe80 a2=241 a3=1b6 items=2 ppid=1577 pid=1760 auid=1002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="nano" exe="/usr/bin/nano" key="test1"
----
time->Sun Mar 20 12:50:58 2022
type=PROCTITLE msg=audit(1647777058.868:59): proctitle=6E616E6F002F6574632F7465737466696C65
type=PATH msg=audit(1647777058.868:59): item=1 name="/etc/testfile" inode=1332 dev=08:02 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1647777058.868:59): item=0 name="/etc/" inode=14 dev=08:02 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1647777058.868:59): cwd="/root"
type=SYSCALL msg=audit(1647777058.868:59): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=43b5bc63860 a2=241 a3=1b6 items=2 ppid=1577 pid=1826 auid=1002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="nano" exe="/usr/bin/nano" key="test3"To make this even more weird, if I run 'auditctl -D' and then add the rules with 'auditctl -w /usr/local/testfile -k test1', 'auditctl -w /root/testfile -k test2' and so on, all file access events are logged as expected.
There are no audit errors in the log during bootup
Would anyone have an idea what could cause this?
Thanks
Last edited by frank773 (2022-03-20 14:35:09)
Offline
I was able to reproduce this issue on both another arch system as well as on debian testing with both running audit 3.0.7
Since this problem also does not seem to affect older versions of audit, it appears to be a upstream issue.
Closing this thread as this isn't arch specific.
edit:
Upstream bug report
https://github.com/linux-audit/audit-kernel/issues/135
Last edited by frank773 (2022-03-20 14:53:43)
Offline