Q: different results watching destination file name vs destination directory

[bobbintb]

I am trying to log file operations using auditd (audit 4.0.1) and came across an issue with moving files. If I include the filename in the destination:
mv /mnt/user/home/file.txt /mnt/user/home/Folder1/file.txt
I get this:

type=SYSCALL msg=audit(1723755217.700:367): syscall=264 success=yes exit=0 a0=ffffff9c a1=7ffcad79d745 a2=ffffff9c a3=7ffcad79d763 items=4 ppid=402506 pid=763811 comm="mv" exe="/bin/mv" SYSCALL=renameat 
type=CWD msg=audit(1723755217.700:367): cwd="/usr/local"
type=PATH msg=audit(1723755217.700:367): item=0 name="/mnt/user/home/Folder1/" inode=11540474087238444 nametype=PARENT 
type=PATH msg=audit(1723755217.700:367): item=1 name="/mnt/user/home/" inode=11540474084530994 nametype=PARENT 
type=PATH msg=audit(1723755217.700:367): item=2 name="/mnt/user/home/file.txt" inode=652740471477682549 nametype=DELETE 
type=PATH msg=audit(1723755217.700:367): item=3 name="/mnt/user/home/Folder1/file.txt" inode=652740471477682549 nametype=CREATE 
type=PROCTITLE msg=audit(1723755217.700:367): proctitle=mv /mnt/user/home/file.txt /mnt/user/home/Folder1/file.txt
type=EOE msg=audit(1723755217.700:367):

But if I just include the destination folder:

mv /mnt/user/home/file.txt /mnt/user/home/Folder1/
I get two syscalls:

type=SYSCALL msg=audit(1723755697.454:465): syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffc55b2276c a2=210000 a3=0 items=1 comm="mv" exe="/bin/mv" SYSCALL=openat 
type=CWD msg=audit(1723755697.454:465): cwd="/usr/local"
type=PATH msg=audit(1723755697.454:465): item=0 name="/mnt/user/home/Folder1/" inode=11540474087238444 nametype=NORMAL 
type=PROCTITLE msg=audit(1723755697.454:465): proctitle=mv /mnt/user/home/file.txt /mnt/user/home/Folder1/
type=EOE msg=audit(1723755697.454:465):

type=SYSCALL msg=audit(1723755697.455:466): syscall=264 success=yes exit=0 a0=ffffff9c a1=7ffc55b2274a a2=3 a3=4270fa items=4 comm="mv" exe="/bin/mv" SYSCALL=renameat 
type=CWD msg=audit(1723755697.455:466): cwd="/usr/local"
type=PATH msg=audit(1723755697.455:466): item=0 name="/usr/local" inode=11540474087238444 nametype=PARENT 
type=PATH msg=audit(1723755697.455:466): item=1 name="/mnt/user/home/" inode=11540474084530994 nametype=PARENT 
type=PATH msg=audit(1723755697.455:466): item=2 name="/mnt/user/home/file.txt" inode=652740471477682549 nametype=DELETE 
type=PATH msg=audit(1723755697.455:466): item=3 name="file.txt" inode=652740471477682549 nametype=CREATE 
type=PROCTITLE msg=audit(1723755697.455:466): proctitle=mv /mnt/user/home/file.txt /mnt/user/home/Folder1/
type=EOE msg=audit(1723755697.455:466):

Here is the rule I used, the only one:

-a always,exit -F arch=b64 -S all -F dir=/mnt/user/home/ -F success=1
Is this intended behavior? A bug? I'm starting to think it's a bug, since the items in the second scenario don't seem right. I'm having a hard time trying to the second scenario.

[pcmoore]

Hi @bobbintb, thanks for the issue/question/bug; I don't have time to look at this right now, but you raise an interesting point so let's leave this open in case someone has time to dig into this further.

[stevegrubb]

The first syscall is openat to get a descriptor of the directory (exit=3). The second is a call to renameat which uses that descriptor (a2=3). I'd suggest using strace to see if the application is doing this intentionally.