I am working on creating aliases for chmod where suppose if anyone wants to change permission of certain file/folder then it should first call the alias which i created instead of bin/chmod.In my alias i am checking whether that file is allowed for permission change or not.If yes then only permission is changed and If not then error message is prompted saying "You cannot change permission of this file as this is system file".As a part of this change, we are also implementing auditing using auditctl utility.We are able to capture below details using auditctl:
type=SYSCALL msg=audit(1673344946.845:3088638): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=161a0f0 a2=1ff a3=7fff38a341a0 items=1 ppid=231685 pid=26681 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=137001 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="audit_time_perm_mod_export_delete"
type=PATH msg=audit(1673344946.845:3088638): item=0 name="abc.txt" inode=397261 dev=08:13 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1673344946.845:3088638): proctitle=2F7573722F62696E2F63686D6F6400373737006162632E747874
We are logging process id as part of this but Is there any way to log process name which triggered this command.Because we cannot get process name from pid once process is killed.
I am very much new to linux and auditctl tool.Could someone please help on this.
