Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG: auditd does not generate audit message when PATH cannot be resolved #118

Open
johntolson opened this issue Nov 13, 2019 · 3 comments
Open

BUG: auditd does not generate audit message when PATH cannot be resolved #118

johntolson opened this issue Nov 13, 2019 · 3 comments
Labels
bug priority/low

Comments

@johntolson
Copy link

johntolson commented Nov 13, 2019
edited by pcmoore
Loading

When the path for an auditd event cannot be resolved, it currently does not generate an audit message. This should be changed so that even when a full PATH record cannot be generated with file attributes, an abbreviated one can be generated. For those that use the audit service for security monitoring, this is a big security hole.

An example of the problem follows (and provides an easy re-create):
I have the following 2 audit rules set up:

-a always,exit -F arch=b64 -S all -F exit=-EACCES -F dir=/gpfs/fs1
-a always,exit -F arch=b64 -S all -F exit=-EPERM -F dir=/gpfs/fs1

I have a directory structure like the following:

(13:15:26) zippleback-vm1:~ # ls -la /gpfs/fs1/test/
total 257
drwx------.  3 root root   4096 Nov  7 12:46 .
drwxr-xr-x. 15 root root 262144 Nov  7 12:50 ..
drwx------.  2 root root   4096 Nov  7 12:46 test2

Essentially, directory "/gpfs/fs1/test/" is owned by root and has permissions 700. The subdirectory underneath it (with path /gpfs/fs1/test/test2) is also owned by root and has permissions 700.

When I have a non-root user attempt to list the contents of directory "/gpfs/fs1/test/" I receive an audit message for the denied access. However, when the non-root user attempts to list the contents of the subdirectory (/gpfs/fs1/test/test2), there is no audit message generated. In the second case where no audit message is generated, it is because the full path is not available. In this case an audit message should still be created if it even contains just a partial path.
@pcmoore pcmoore changed the title auditd does not generate audit message when PATH cannot be resolved BUG: auditd does not generate audit message when PATH cannot be resolved Nov 13, 2019
@pcmoore
Copy link
Contributor

pcmoore commented Nov 13, 2019

NOTE: I edited the original posting to make the directory structure example a fixed-width font code block for readability; the contents were not changed in any way.

@Gentser
Copy link

Gentser commented Dec 26, 2023

Greetings!
@pcmoore , what do you mean by saying "it is because the full path is not available"?

I experienced the same problem. And, as I suppose, in your case should be generated audit event with object "/gpfs/fs1/test", as it is the part of the path to target directory "/gpfs/fs1/test/test2" that is attempted to be accessed. But it's not sent either

@pcmoore
Copy link
Contributor

pcmoore commented Dec 27, 2023

Greetings! @pcmoore , what do you mean by saying "it is because the full path is not available"?

I did not say that, the original poster did in their initial report (see above).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug priority/low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pcmoore @Gentser @johntolson