audit-kernel icon indicating copy to clipboard operation
audit-kernel copied to clipboard

Published 20 hours ago verified publisher icon linux-audit

BUG: audit log

Open hqh2010 opened this issue 1 year ago • 8 comments

fix:audit.log can't record correctly when rm the dir end with '/'

step:

  1. mkdir test

  2. touch test/111.txt

  3. rm -r test/

Log:

type=PATH msg=audit(1690506313.361:2505): item=1 name=(null) inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0

type=PATH msg=audit(1690506313.361:2505): item=2 name=(null) inode=1049384 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0

Change-Id: I6b242a062ced1e3db129b9b9e5f155c681561c2a

hqh2010 avatar Jul 28 '23 01:07 hqh2010

Hi @hqh2010, thanks for debugging this and submitting a PR! I haven't had a chance to properly review it, but we generally ask for Linux Kernel patches to be sent via the Linux Audit mailing list at [email protected].

Are you familiar with the Linux Kernel patch submission process? If not, there is a document which goes into detail on the process (link below). If you have any questions I'm happy to help.

  • https://docs.kernel.org/process/submitting-patches.html

pcmoore avatar Jul 28 '23 02:07 pcmoore

Hi @hqh2010, I just wanted to check to see if you are going to be able to submit this to the audit mailing list? If not, can we at least get your sign-off on the commit/PR?

pcmoore avatar Feb 14 '24 16:02 pcmoore

I'am sorry, I can't submit this pr, you can submit this pr instead, tks.

At 2024-02-15 00:05:48, "Paul Moore" @.***> wrote:

Hi @hqh2010, I just wanted to check to see if you are going to be able to submit this to the audit mailing list? If not, can we at least get your sign-off on the commit/PR?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

hqh2010 avatar Feb 27 '24 09:02 hqh2010

Hi @pcmoore ,

I'm writing to you on behalf of my former colleague, @hqh2010 , who reported a bug in kernel audit.

The bug was discovered when a customer called the kernel audit function in UnionTechOS distribution.

@hqh2010 has since left Uniontech, but I will improve this bugfix patch and send it to the audit subsystem mailing list as soon as possible.

And will also include @hqh2010 's name in the commit msg.

Thanks for your time.

Best regards,

WangYuli. [email protected]

Avenger-285714 avatar Feb 28 '24 07:02 Avenger-285714

That would be great, thank you @Avenger-285714 (and @hqh2010)!

pcmoore avatar Feb 28 '24 14:02 pcmoore

@pcmoore Exactly same behavior on RHEL 8.7 as well with audit-3.0.7-4.el8.x86_64 and 4.18.0-425.13.1.el8_7.x86_64, Is there any workaround to get it sorted?

ramzcode avatar Apr 17 '24 09:04 ramzcode

Hi @ramzcode, last I saw @Avenger-285714 was planning to submit a kernel patch to address the problem so I was waiting on that to happen. If @Avenger-285714 is not able or willing to post a patch we can look into alternate ways to submit and discuss the patch upstream.

However, as you are mentioning RHEL, you may want to contact your IBM/RH support team to look for an answer. We do not support RHEL kernels in this GitHub.

pcmoore avatar Apr 19 '24 18:04 pcmoore