BUG: intermediate directories missing in audit PATH records #163
Description
Environment
OS: Centos 7
Kernel: 3.10.0-1160.108.1.el7.x86_64
Audit: 2.8.5
Rules
$ sudo auditctl -l
-w /home/nid/audittest -p wa -k audittest
Operation
$ pwd
/home/nid/audittest
$ ls
kernel
$ ls kernel/
audit
$ ls kernel/audit/
testfile
$ rm -rf kernel
Audit Records
type=PROCTITLE msg=audit(07/03/2024 11:39:20.891:23602221) : proctitle=rm -rf kernel
type=PATH msg=audit(07/03/2024 11:39:20.891:23602221) : item=1 name=testfile inode=201714147 dev=fd:00 mode=file,664 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(07/03/2024 11:39:20.891:23602221) : item=0 name=/home/nid/audittest inode=201714144 dev=fd:00 mode=dir,775 ouid=nid ogid=nid rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(07/03/2024 11:39:20.891:23602221) : cwd=/home/nid/audittest
type=SYSCALL msg=audit(07/03/2024 11:39:20.891:23602221) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x5 a1=0x15a46a8 a2=0x0 a3=0x7ffd31318a20 items=2 ppid=16898 pid=26549 auid=nid uid=nid gid=nid euid=nid suid=nid fsuid=nid egid=nid sgid=nid fsgid=nid tty=pts5 ses=10697 comm=rm exe=/usr/bin/rm subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=audittest
Expected Behavior
- The parent directory should be coming as /home/nid/audittest/kernel/audit
Actual Behavior
- The parent directory is coming as /home/nid/audittest
The same issue happens on this environment as well
OS: RHEL 9.3
Kernel: 5.14.0-362.13.1.el9_3.x86_64
Audit: 3.0.7