Why does the kernel audit module not record the absolute path of the file

[hqh2010]

config of system:

uos@uos-PC:~/Desktop$ sudo auditctl -l
-w /home/uos/Desktop -p wa -k file_wa_audit
uos@uos-PC:~/Desktop$ tree test
test
└── 111.txt

0 directories, 1 file
uos@uos-PC:~/Desktop$ rm -r test

the content of /var/log/audit/audit.log

type=SYSCALL msg=audit(1690443959.176:1267): arch=c000003e syscall=263 success=yes exit=0 a0=4 a1=6888f8 a2=0 a3=fffffffffffffbbb items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit"
type=CWD msg=audit(1690443959.176:1267): cwd="/home/uos/Desktop"
type=PATH msg=audit(1690443959.176:1267): item=0 name="/home/uos/Desktop" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1690443959.176:1267): item=1 name="111.txt" inode=1051788 dev=fe:07 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1690443959.176:1267): proctitle=726D002D720074657374

type=SYSCALL msg=audit(1690443959.176:1268): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=6874a0 a2=200 a3=100 items=2 ppid=12889 pid=23410 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=2 comm="rm" exe="/usr/bin/rm" subj=root:sysadm_r:sysadm_t:s0 key="file_wa_audit"
type=CWD msg=audit(1690443959.176:1268): cwd="/home/uos/Desktop"
type=PATH msg=audit(1690443959.176:1268): item=0 name="/home/uos/Desktop" inode=1048584 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1690443959.176:1268): item=1 name="test" inode=1051911 dev=fe:07 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=root:object_r:user_home_t:s0 nametype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1690443959.176:1268): proctitle=726D002D720074657374

question:
the absolute path of the 111.txt is /home/uos/Desktop/test/111.txt, but we can not get absolute path of the 111.txt from audit.log

the version of kernel

uos@uos-PC:~/Desktop$ uname -a
Linux uos-PC 4.19.0-amd64-desktop #6100 SMP Thu Jul 20 13:37:54 CST 2023 x86_64 GNU/Linux

[stevegrubb]

The ausearch utility can give you the full path. In the auparse library, this is provided by the auparse_interpret_realpath() function. This is used when you ask for output formatting to be csv or text:

NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
,SYSCALL,07/27/2023,03:45:59,1267,audit-rule,2,unknown(1000),unknown(1000),user-acct,deleted,success,/home/uos/Desktop/111.txt,1051788,file,/usr/bin/rm
,SYSCALL,07/27/2023,03:45:59,1268,audit-rule,2,unknown(1000),unknown(1000),user-acct,deleted,success,/home/uos/Desktop/test,1051911,directory,/usr/bin/rm

At 03:45:59 07/27/2023 unknown(1000) successfully deleted /home/uos/Desktop/111.txt using /usr/bin/rm
At 03:45:59 07/27/2023 unknown(1000) successfully deleted /home/uos/Desktop/test using /usr/bin/rm

[hqh2010]

but ausearch -i can't get the real the absolute path, I want to get the absolute path of audit file, do you have any ideas? tks

auparse_interpret_realpath is like auparse_interpret_field except
that it will call realpath on the results of gluing the cwd and
file together. This also implies that it only valid to be called
for the file name given in a PATH record.

the same issue:
#231
linux-audit/audit-kernel#133

[stevegrubb]

No, ausearch -i cannot provide the absolute path unless the open syscall was an absolute path. If the syscall was relative, then it has to be built from CWD and the PATH. This is what auparse_interpret_realpath() does. You might look at your test program with strace to see how open was called. The kernel provides information it was handed. If it is relative, it provides all the pieces to reconstruct the path. ausearch -i just interprets the raw pieces. It you want processed information, use the csv format. Or you (or chatGPT) can write a simple python program to provide the information the way you want.

[hqh2010]

The ausearch utility can give you the full path. In the auparse library, this is provided by the auparse_interpret_realpath() function. This is used when you ask for output formatting to be csv or text:

NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW ,SYSCALL,07/27/2023,03:45:59,1267,audit-rule,2,unknown(1000),unknown(1000),user-acct,deleted,success,/home/uos/Desktop/111.txt,1051788,file,/usr/bin/rm ,SYSCALL,07/27/2023,03:45:59,1268,audit-rule,2,unknown(1000),unknown(1000),user-acct,deleted,success,/home/uos/Desktop/test,1051911,directory,/usr/bin/rm

At 03:45:59 07/27/2023 unknown(1000) successfully deleted /home/uos/Desktop/111.txt using /usr/bin/rm At 03:45:59 07/27/2023 unknown(1000) successfully deleted /home/uos/Desktop/test using /usr/bin/rm

Thank you very much for your reply.

Is there any method to obtain the full path of the file from '/var/log/audit/audit.log' besides modifying the kernel audit module?

[stevegrubb]

The auparse_interpret_realpath() function can build the path from the piece parts. The kernel developers consider the fragmented output to be a user space problem. (They are concerned with outputting the data as fast as possible.) Most system calls are easy to reconstruct. The biggest problem is renameat because it fully involves a cwd, and 2 directory paths, and 2 files. In the simpler case, if the path is relative, call auparse_interpret_realpath to build the full path. (This implies that you are writing a program for custom reporting.) Otherwise, a simple call to auparse_interpret_field will give you the absolute path.

Aside from writing a custom report, the csv data has what you want and more. The csv format lends itself to data science techniques. You may find that better depending on your purpose.

[hqh2010]

The auparse_interpret_realpath() function can build the path from the piece parts. The kernel developers consider the fragmented output to be a user space problem. (They are concerned with outputting the data as fast as possible.) Most system calls are easy to reconstruct. The biggest problem is renameat because it fully involves a cwd, and 2 directory paths, and 2 files. In the simpler case, if the path is relative, call auparse_interpret_realpath to build the full path. (This implies that you are writing a program for custom reporting.) Otherwise, a simple call to auparse_interpret_field will give you the absolute path.

Aside from writing a custom report, the csv data has what you want and more. The csv format lends itself to data science techniques. You may find that better depending on your purpose.

ths.

[stevegrubb]

OK. I don't think there is much else that can be done here. If you need more assistance, reopen or better yet, ask on the mail list.