All of lore.kernel.org
 help / color / mirror / Atom feed
From: Peter Moody <pmoody@google.com>
To: Stefano Schiavi <stefanoschiavi00@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: need help interpreting ausearch results
Date: Sun, 22 Dec 2013 09:05:05 -0800	[thread overview]
Message-ID: <87d2koddfi.fsf@root.hda3.com> (raw)
In-Reply-To: <52B58E25.4080007@gmail.com> (Stefano Schiavi's message of "Sat, 21 Dec 2013 13:48:37 +0100")


What's the actual rule? On my system, syscall 88 is either symlink (64 bit) or reboot (32 bit).

On Sat, Dec 21 2013 at 04:48, Stefano Schiavi wrote:
> Hello,
>
> Could anyone help with this? I really don't know where else to ask.
>
> Thank you very much.
> Stefano
>
>
> On 12/15/13, 12:19 AM, Stefano Schiavi wrote:
>> Hello,
>>
>> Thank you Steve and all for keeping up the great work here.
>>
>> Some time ago I setup some audit rules to monitor what would change the permissions of the
>> public_html directory since we found that once in a while it would change to 777 out of the
>> blue.
>>
>> It happened again yesterday and I believe these parts of the log represent when the issue
>> happened:
>>
>> type=PATH msg=audit(1386933561.795:7958476): item=2 name="./www" inode=4980752 dev=08:08
>> mode=0120777 ouid=501 ogid=501 rdev=00:00
>> type=PATH msg=audit(1386933561.795:7958476): item=1 name="./" inode=4980737 dev=08:08
>> mode=040711 ouid=501 ogid=501 rdev=00:00
>> type=PATH msg=audit(1386933561.795:7958476): item=0 name="public_html"
>> type=CWD msg=audit(1386933561.795:7958476):  cwd="/home/lanogbar"
>> type=SYSCALL msg=audit(1386933561.795:7958476): arch=c000003e syscall=88 success=yes exit=0
>> a0=1306d160 a1=1306d200 a2=11 a3=0 items=3 ppid=18728 pid=18731 auid=0 uid=501 gid=501
>> euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=117304 comm="gtar"
>> exe="/bin/tar" key="lanogbar-www"
>>
>>
>> This is just a guess though and I can not be sure as I have no experience parsing the
>> logs. Looking through with the I flag we can see the following::
>>
>> type=PATH msg=audit(12/13/2013 15:00:03.759:7970202) : item=0
>> name=/home/lanogbar/public_html/ inode=4980744 dev=08:08 mode=dir,750 ouid=lanogbar
>> ogid=nobody rdev=00:00
>> type=CWD msg=audit(12/13/2013 15:00:03.759:7970202) : cwd=/home/lanogbar/public_html
>> type=SYSCALL msg=audit(12/13/2013 15:00:03.759:7970202) : arch=x86_64 syscall=chmod
>> success=yes exit=0 a0=1585e520 a1=1ff a2=2f a3=146c1d40 items=1 ppid=27717 pid=8804 auid=root
>> uid=lanogbar gid=lanogbar euid=lanogbar suid=lanogbar fsuid=lanogbar egid=lanogbar
>> sgid=lanogbar fsgid=lanogbar tty=(none) ses=117304 comm=php exe=/usr/bin/php
>> key=lanogbar-public_html
>>
>> Do you think this is relevant?
>> If so it would seem a php script was responsible.
>>
>> Would you have any suggestion on how to identify the script?
>>
>> Thank you very much for the very valuable help.
>> Kind regards,
>> Stefano
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

  reply	other threads:[~2013-12-22 17:05 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-12-14 23:19 need help interpreting ausearch results Stefano Schiavi
2013-12-21 12:48 ` Stefano Schiavi
2013-12-22 17:05   ` Peter Moody [this message]
2013-12-22 21:00     ` Burn Alting
2013-12-22 21:41       ` Stefano Schiavi
2013-12-22 21:53         ` Burn Alting
2013-12-22 23:07           ` stefano schiavi
2013-12-23 21:04           ` Stefano Schiavi
2013-12-24  2:15             ` Burn Alting
2013-12-24 18:43               ` Stefano Schiavi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87d2koddfi.fsf@root.hda3.com \
    --to=pmoody@google.com \
    --cc=linux-audit@redhat.com \
    --cc=stefanoschiavi00@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.