From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Moody Subject: Re: need help interpreting ausearch results Date: Sun, 22 Dec 2013 09:05:05 -0800 Message-ID: <87d2koddfi.fsf@root.hda3.com> References: <52ACE768.7030606@gmail.com> <52B58E25.4080007@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id rBMH5ZsO017363 for ; Sun, 22 Dec 2013 12:05:35 -0500 Received: from mail-pa0-f45.google.com (mail-pa0-f45.google.com [209.85.220.45]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rBMH5Yan025436 for ; Sun, 22 Dec 2013 12:05:34 -0500 Received: by mail-pa0-f45.google.com with SMTP id fb1so4518602pad.4 for ; Sun, 22 Dec 2013 09:05:34 -0800 (PST) In-Reply-To: <52B58E25.4080007@gmail.com> (Stefano Schiavi's message of "Sat, 21 Dec 2013 13:48:37 +0100") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Stefano Schiavi Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com What's the actual rule? On my system, syscall 88 is either symlink (64 bit) or reboot (32 bit). On Sat, Dec 21 2013 at 04:48, Stefano Schiavi wrote: > Hello, > > Could anyone help with this? I really don't know where else to ask. > > Thank you very much. > Stefano > > > On 12/15/13, 12:19 AM, Stefano Schiavi wrote: >> Hello, >> >> Thank you Steve and all for keeping up the great work here. >> >> Some time ago I setup some audit rules to monitor what would change the permissions of the >> public_html directory since we found that once in a while it would change to 777 out of the >> blue. >> >> It happened again yesterday and I believe these parts of the log represent when the issue >> happened: >> >> type=PATH msg=audit(1386933561.795:7958476): item=2 name="./www" inode=4980752 dev=08:08 >> mode=0120777 ouid=501 ogid=501 rdev=00:00 >> type=PATH msg=audit(1386933561.795:7958476): item=1 name="./" inode=4980737 dev=08:08 >> mode=040711 ouid=501 ogid=501 rdev=00:00 >> type=PATH msg=audit(1386933561.795:7958476): item=0 name="public_html" >> type=CWD msg=audit(1386933561.795:7958476): cwd="/home/lanogbar" >> type=SYSCALL msg=audit(1386933561.795:7958476): arch=c000003e syscall=88 success=yes exit=0 >> a0=1306d160 a1=1306d200 a2=11 a3=0 items=3 ppid=18728 pid=18731 auid=0 uid=501 gid=501 >> euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=117304 comm="gtar" >> exe="/bin/tar" key="lanogbar-www" >> >> >> This is just a guess though and I can not be sure as I have no experience parsing the >> logs. Looking through with the I flag we can see the following:: >> >> type=PATH msg=audit(12/13/2013 15:00:03.759:7970202) : item=0 >> name=/home/lanogbar/public_html/ inode=4980744 dev=08:08 mode=dir,750 ouid=lanogbar >> ogid=nobody rdev=00:00 >> type=CWD msg=audit(12/13/2013 15:00:03.759:7970202) : cwd=/home/lanogbar/public_html >> type=SYSCALL msg=audit(12/13/2013 15:00:03.759:7970202) : arch=x86_64 syscall=chmod >> success=yes exit=0 a0=1585e520 a1=1ff a2=2f a3=146c1d40 items=1 ppid=27717 pid=8804 auid=root >> uid=lanogbar gid=lanogbar euid=lanogbar suid=lanogbar fsuid=lanogbar egid=lanogbar >> sgid=lanogbar fsgid=lanogbar tty=(none) ses=117304 comm=php exe=/usr/bin/php >> key=lanogbar-public_html >> >> Do you think this is relevant? >> If so it would seem a php script was responsible. >> >> Would you have any suggestion on how to identify the script? >> >> Thank you very much for the very valuable help. >> Kind regards, >> Stefano > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit