BUG: intermediate directories missing in audit PATH records

[naugustine98]

Environment

OS: Centos 7
Kernel: 3.10.0-1160.108.1.el7.x86_64
Audit: 2.8.5

Rules

$ sudo auditctl -l
-w /home/nid/audittest -p wa -k audittest

Operation

$ pwd
/home/nid/audittest
$ ls
kernel
$ ls kernel/
audit
$ ls kernel/audit/
testfile
$ rm -rf kernel

Audit Records

type=PROCTITLE msg=audit(07/03/2024 11:39:20.891:23602221) : proctitle=rm -rf kernel
type=PATH msg=audit(07/03/2024 11:39:20.891:23602221) : item=1 name=testfile inode=201714147 dev=fd:00 mode=file,664 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(07/03/2024 11:39:20.891:23602221) : item=0 name=/home/nid/audittest inode=201714144 dev=fd:00 mode=dir,775 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(07/03/2024 11:39:20.891:23602221) :  cwd=/home/nid/audittest
type=SYSCALL msg=audit(07/03/2024 11:39:20.891:23602221) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x5 a1=0x15a46a8 a2=0x0 a3=0x7ffd31318a20 items=2 ppid=16898 pid=26549 auid=nid uid=nid gid=nid euid=nid suid=nid fsuid=nid egid=nid sgid=nid fsgid=nid tty=pts5 ses=10697 comm=rm exe=/usr/bin/rm subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=audittest

Expected Behavior

• The parent directory should be coming as /home/nid/audittest/kernel/audit

Actual Behavior

• The parent directory is coming as /home/nid/audittest

The same issue happens on this environment as well
OS: RHEL 9.3
Kernel: 5.14.0-362.13.1.el9_3.x86_64
Audit: 3.0.7

[rwk141414]

I see this was marked as a bug in July but it appears that no on is assigned as yet. Is this being worked on?

[pcmoore]

I'm not aware of anyone working on this, are you interested?

It's possible that the work going on in the thread below may have an impact on this:

• https://lore.kernel.org/audit/[email protected]/

[rwk141414]

Yes, I am very interested in this thread as the issue is being manifested in File Incident Monitoring solutions with invalid path names returned in the monitoring events. I agree that the thread below may impact this as well. I will monitor that thread as well as this one. Thanks, Ray Kendrick | Enterprise Vulnerability Services w 860-273-2024 c 413-687-4526 [CVS] From: Paul Moore ***@***.***> Sent: Tuesday, November 12, 2024 4:46 PM To: linux-audit/audit-kernel ***@***.***> Cc: Kendrick, Ray ***@***.***>; Manual ***@***.***> Subject: [EXTERNAL] Re: [linux-audit/audit-kernel] BUG: intermediate directories missing in audit PATH records (Issue #163) **** External Email - Use Caution ****

…

________________________________ I'm not aware of anyone working on this, are you interested? It's possible that the work going on in the thread below may have an impact on this: * ***@***.******@***.***/> — Reply to this email directly, view it on GitHub<#163 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BI2XZNVH6EZF4IPA7GBRZS32AJZKLAVCNFSM6AAAAABKI4BCXWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINZRGY2DQOBVHA>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.******@***.***>>

[pcmoore]

As a reminder @rwk141414, we do not provide individual Linux distribution support here, especially for enterprise distributions with their own established support mechanisms. We're obviously very happy to hear about bugs, offers to help test, offers to work on fixing bugs (patches!), etc., but if you are a RHEL customer looking for RHEL support you should also contact your IBM/RH support representative.

[rprobaina]

I'm not aware of anyone working on this, are you interested?

It's possible that the work going on in the thread below may have an impact on this:

* https://lore.kernel.org/audit/[email protected]/

@pcmoore, I agree, it seems to be related to the same issue. I'll investigate it. Feel free to assign this issue to me, I don't have the project's permission to do so.

[pcmoore]

Done @rprobaina and thanks!

(related, I'll take a closer look at the GH perms to see if I can fix that, although last I checked they were too coarse)