Rmdir syscall event and file path

alanoe · March 2, 2021, 9:23pm

I'm tracking the rmdir syscall with the following rule:

  audit_rules: |
    -a always,exit -F dir=/sasdata -F arch=b64 -S creat -S open -S openat -S unlink -S unlinkat -S symlink -S symlinkat -S link -S linkat -S rename -S renameat -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S mkdir -S mkdirat -S rmdir -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k filesystem_op

I get the following event when I remove a directory in the watched directory:

{"auditd":{"data":{"a0":"7ffcda1b1756","a1":"2","a2":"7f398c8c0280","a3":"7ffcda1b0a60","arch":"x86_64","exit":"0","syscall":"rmdir","tty":"pts0"},"message_type":"syscall","paths":[{"cap_fe":"0","cap_fi":"0000000000000000","cap_fp":"0000000000000000","cap_fver":"0","dev":"08:04","inode":"100916940","item":"0","mode":"040775","name":"/sasdata/","objtype":"PARENT","ogid":"201327708","ouid":"0","rdev":"00:00"},{"cap_fe":"0","cap_fi":"0000000000000000","cap_fp":"0000000000000000","cap_fver":"0","dev":"08:04","inode":"100916940","item":"1","mode":"040775","objtype":"PARENT","ogid":"201327708","ouid":"0","rdev":"00:00"},{"cap_fe":"0","cap_fi":"0000000000000000","cap_fp":"0000000000000000","cap_fver":"0","dev":"08:04","inode":"33731764","item":"2","mode":"040755","objtype":"DELETE","ogid":"0","ouid":"0","rdev":"00:00"}],"result":"success","sequence":22040,"session":"2092","summary":{"actor":{"primary":"aevangelista","secondary":"root"},"how":"/usr/bin/rmdir","object":{"primary":"/sasdata/","type":"file"}}},"event":{"action":"deleted","category":["file"],"kind":"event","module":"auditd","outcome":"success","type":["deletion"]},"file":{"device":"00:00","gid":"201327708","group":"sasusers","inode":"100916940","mode":"0775","owner":"root","path":"/sasdata/","uid":"0"},"process":{"executable":"/usr/bin/rmdir","name":"rmdir","pid":11064,"ppid":10616,"title":"rmdir /sasdata/testdir/","working_directory":"/home/aevangelista"},"service":{"type":"auditd"},"tags":["filesystem_op"],"user":{"audit":{"id":"201327714","name":"aevangelista"},"filesystem":{"group":{"id":"0","name":"root"},"id":"0","name":"root"},"group":{"id":"0","name":"root"},"id":"0","name":"root","saved":{"group":{"id":"0","name":"root"},"id":"0","name":"root"}}}

I expected to see the deleted file path in the PATH record with objtype=DELETE, but it's not there nor anywhere else in the event.

If I stop auditbeat, set up the same audit rule on auditd conf file, start the auditd service and remove the same directory once again, I can see the deleted file path in the PATH record with objtype=DELETE:

type=SYSCALL msg=audit(1614718358.207:22068): arch=c000003e syscall=84 success=yes exit=0 a0=7ffcc2324757 a1=2 a2=7f7e689e7280 a3=7ffcc23228e0 items=2 ppid=11070 pid=22265 auid=201327714 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2093 comm="rmdir" exe="/usr/bin/rmdir" key="filesystem_op"
type=CWD msg=audit(1614718358.207:22068):  cwd="/home/aevangelista"
type=PATH msg=audit(1614718358.207:22068): item=0 name="/sasdata/" inode=100916940 dev=08:04 mode=040775 ouid=0 ogid=201327708 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1614718358.207:22068): item=1 name="/sasdata/testdir" inode=68153511 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Oddly, there are 2 PATH records in the auditd event and 3 in the Auditbeat event. Shouldn't a syscall event recorded by Auditbeat have the same number of PATH records of a syscall event recorded by auditd?

Is this an Auditbeat bug or am I doing something wrong here?

andrewkroh · March 3, 2021, 4:13pm

To help debug this, try enabling these two options:

include_raw_message: true
include_warnings: true

Reference:

alanoe · March 5, 2021, 2:55am

@andrewkroh I've enabled these two options and got the following event:

{"auditd":{"data":{"a0":"7ffcf6e5c757","a1":"2","a2":"7f200050f280","a3":"7ffcf6e5b660","arch":"x86_64","exit":"0","syscall":"rmdir","tty":"pts1"},"message_type":"syscall","paths":[{"cap_fe":"0","cap_fi":"0000000000000000","cap_fp":"0000000000000000","cap_fver":"0","dev":"08:04","inode":"100916940","item":"0","mode":"040775","name":"/sasdata/","objtype":"PARENT","ogid":"201327708","ouid":"0","rdev":"00:00"},{"cap_fe":"0","cap_fi":"0000000000000000","cap_fp":"0000000000000000","cap_fver":"0","dev":"08:04","inode":"100916940","item":"1","mode":"040775","objtype":"PARENT","ogid":"201327708","ouid":"0","rdev":"00:00"},{"cap_fe":"0","cap_fi":"0000000000000000","cap_fp":"0000000000000000","cap_fver":"0","dev":"08:04","inode":"1181650","item":"2","mode":"040755","objtype":"DELETE","ogid":"0","ouid":"0","rdev":"00:00"}],"result":"success","sequence":4136,"session":"269","summary":{"actor":{"primary":"aevangelista","secondary":"root"},"how":"/usr/bin/rmdir","object":{"primary":"/sasdata/","type":"file"}}},"event":{"action":"deleted","category":["file"],"kind":"event","module":"auditd","original":["type=SYSCALL msg=audit(1614912311.117:4136): arch=c000003e syscall=84 success=yes exit=0 a0=7ffcf6e5c757 a1=2 a2=7f200050f280 a3=7ffcf6e5b660 items=3 ppid=17590 pid=22579 auid=201327714 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=269 comm=\"rmdir\" exe=\"/usr/bin/rmdir\" key=\"filesystem_op\"","type=CWD msg=audit(1614912311.117:4136):  cwd=\"/home/aevangelista\"","type=PATH msg=audit(1614912311.117:4136): item=0 name=\"/sasdata/\" inode=100916940 dev=08:04 mode=040775 ouid=0 ogid=201327708 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0","type=PATH msg=audit(1614912311.117:4136): item=1 name=(null) inode=100916940 dev=08:04 mode=040775 ouid=0 ogid=201327708 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0","type=PATH msg=audit(1614912311.117:4136): item=2 name=(null) inode=1181650 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0","type=PROCTITLE msg=audit(1614912311.117:4136): proctitle=726D646972002F736173646174612F746573746469722F"],"outcome":"success","type":["deletion"]},"file":{"device":"00:00","gid":"201327708","group":"sasusers","inode":"100916940","mode":"0775","owner":"root","path":"/sasdata/","uid":"0"},"process":{"executable":"/usr/bin/rmdir","name":"rmdir","pid":22579,"ppid":17590,"title":"rmdir /sasdata/testdir/","working_directory":"/home/aevangelista"},"service":{"type":"auditd"},"tags":["filesystem_op"],"user":{"audit":{"id":"201327714","name":"aevangelista"},"filesystem":{"group":{"id":"0","name":"root"},"id":"0","name":"root"},"group":{"id":"0","name":"root"},"id":"0","name":"root","saved":{"group":{"id":"0","name":"root"},"id":"0","name":"root"}}}

With this extra debugging, it got obvious that the problem is in Audit, not Auditbeat.

I found out that this problem only happens when I run "rmdir /sasdata/testdir/" (with a unnecessary slash at the end). If I run "rmdir /sas/data/testdir" instead, I get the directory path in the paths object in both the audit event AND in the auditbeat event. That's the command I tried when testing with auditd before.

IMHO Audit should provide the path of the deleted directory somewhere in its event, regardless if the rmdir command has a slash at the end of the directory path or not. I'll write about it to the linux-audit mailing list.

Thanks for the help!

system · April 2, 2021, 4:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to link/stitch-together events in an efficient way? Elasticsearch	3	404	January 12, 2021
After a folder is deleted and recreated, file_integrity events are missing until service restart Beats auditbeat	2	332	June 28, 2023
Filebeat auditd module Beats filebeat	4	544	October 10, 2018
Auditbeat identifying directories as files Beats auditbeat	1	429	January 11, 2019
Help with drop_event Beats auditbeat	1	333	August 7, 2020

Rmdir syscall event and file path

Related topics