How do I get auditd to show me the folder/file name of something it's monitoring, when the changes are made via an smb client?

Question

I'm using auditd to audit a folder, /shared, for read, write, attribute changes and deletions.

I have installed auditd and configured the following rules:

-a exit,always -S unlink -S rmdir
-a exit,always -F path=/shared

If I run a manual report using ausearch

ausearch -f /shared

I can see what I'm expecting, if the actions are done from a session on the Linux box

time->Fri Feb 10 09:34:34 2017
type=PATH msg=audit(1486737274.412:3978): item=3 name="new/./hello2.txt" inode=135760552 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=CREATE
type=PATH msg=audit(1486737274.412:3978): item=2 name="hello2.txt" inode=135760552 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=DELETE
type=PATH msg=audit(1486737274.412:3978): item=1 name="new/./" inode=67315361 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=PARENT
type=PATH msg=audit(1486737274.412:3978): item=0 name="/shared" inode=134343544 dev=fd:00 mode=040777 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=PARENT
type=CWD msg=audit(1486737274.412:3978):  cwd="/shared"
type=SYSCALL msg=audit(1486737274.412:3978): arch=c000003e syscall=82 success=yes exit=0 a0=7ffdbdf7381d a1=19408f0 a2=0 a3=7ffdbdf72a30 items=4 ppid=4283 pid=23993 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="mv" exe="/usr/bin/mv" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

But if the /shared directory is access from a Windows box, and I do an action to the folder/files from the Windows box, I don't get the same clarity of information:

time->Fri Feb 10 09:41:13 2017
type=PATH msg=audit(1486737673.585:4567): item=1 name=4E657720666F6C646572 inode=135760552 dev=fd:00 mode=040777 ouid=16777216 ogid=16777216 rdev=00:00 obj=system_u:object_r:default_t:s0 objtype=CREATE
type=PATH msg=audit(1486737673.585:4567): item=0 name="/shared" inode=134343544 dev=fd:00 mode=040777 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=PARENT
type=CWD msg=audit(1486737673.585:4567):  cwd="/shared"
type=SYSCALL msg=audit(1486737673.585:4567): arch=c000003e syscall=83 success=yes exit=0 a0=7f0cd0fb4230 a1=1ff a2=1ff a3=7f0cd0fb24a8 items=2 ppid=1766 pid=6614 auid=4294967295 uid=16777216 gid=0 euid=16777216 suid=0 fsuid=16777216 egid=16777216 sgid=0 fsgid=16777216 tty=(none) ses=4294967295 comm="smbd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1486737673.585:4567): avc:  denied  { create } for  pid=6614 comm="smbd" name=4E657720666F6C646572 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir

From here, I can tell what the action took place, e.g. objtype=CREATE, but I can't determine what folder/file the action took place on, because the log shows a hashed name, e.g. name=4E657720666F6C646572

How do I get auditd to show me the folder/file name of something it's monitoring, when the changes are made via an smb client?

that doesn't look like a hash, it looks like hex of (ASCII for) `New folder` — dave_thompson_085, Feb 10 '17 at 16:36

How do I get auditd to show me the folder/file name of something it's monitoring, when the changes are made via an smb client?

0 Answers0