How do I get auditd to show me the filename that was removed? Here is my test case:
Code:
~/testdir$ echo $RANDOM > TEST$RANDOM
~/testdir$ sync
~/testdir$ rm TEST11775
This is what audit.log shows:
Code:
type=SYSCALL msg=audit(1504716391.145:215): arch=c000003e syscall=87 success=yes exit=0 a0=1307008 a1=0 a2=180 a3=7ffce6565f08 items=2 ppid=25880 pid=25881 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=3 comm="bash" exe="/bin/bash" key="USERDELETE"
type=CWD msg=audit(1504716391.145:215): cwd="/home/user/testdir"
type=PATH msg=audit(1504716391.145:215): item=0 name="/tmp/" inode=1310721 dev=08:01 mode=041777 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1504716391.145:215): item=1 name="/tmp/sh-thd-125696564890830" inode=1310737 dev=08:01 mode=0100600 ouid=1000 ogid=1000 rdev=00:00 nametype=DELETE
type=PROCTITLE msg=audit(1504716391.145:215): proctitle="-bash"
These are my audit.rules:
Code:
-D
-b 1024
-a exit,always -S rename -S renameat -k USERRENAME
-a exit,always -S unlink -S rmdir -k USERDELETE
I also tried running the rm with strace but I don't see the file being moved to /tmp. Relevant entries are:
Code:
execve("/bin/rm", ["rm", "TEST3727"], [/* 20 vars */]) = 0
...
unlinkat(AT_FDCWD, "TEST3727", 0) = 0
Do I need more granular logging like also recording open and close calls? That seems very noisy so I am looking for a more concise way to do this. Thanks!