Re: need help interpreting ausearch results
What's the actual rule? On my system, syscall 88 is either symlink (64 bit) or reboot
(32 bit).
On Sat, Dec 21 2013 at 04:48, Stefano Schiavi wrote:
Hello,
Could anyone help with this? I really don't know where else to ask.
Thank you very much.
Stefano
On 12/15/13, 12:19 AM, Stefano Schiavi wrote:
> Hello,
>
> Thank you Steve and all for keeping up the great work here.
>
> Some time ago I setup some audit rules to monitor what would change the permissions
of the
> public_html directory since we found that once in a while it would change to 777 out
of the
> blue.
>
> It happened again yesterday and I believe these parts of the log represent when the
issue
> happened:
>
> type=PATH msg=audit(1386933561.795:7958476): item=2 name="./www"
inode=4980752 dev=08:08
> mode=0120777 ouid=501 ogid=501 rdev=00:00
> type=PATH msg=audit(1386933561.795:7958476): item=1 name="./" inode=4980737
dev=08:08
> mode=040711 ouid=501 ogid=501 rdev=00:00
> type=PATH msg=audit(1386933561.795:7958476): item=0 name="public_html"
> type=CWD msg=audit(1386933561.795:7958476): cwd="/home/lanogbar"
> type=SYSCALL msg=audit(1386933561.795:7958476): arch=c000003e syscall=88 success=yes
exit=0
> a0=1306d160 a1=1306d200 a2=11 a3=0 items=3 ppid=18728 pid=18731 auid=0 uid=501
gid=501
> euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=117304
comm="gtar"
> exe="/bin/tar" key="lanogbar-www"
>
>
> This is just a guess though and I can not be sure as I have no experience parsing
the
> logs. Looking through with the I flag we can see the following::
>
> type=PATH msg=audit(12/13/2013 15:00:03.759:7970202) : item=0
> name=/home/lanogbar/public_html/ inode=4980744 dev=08:08 mode=dir,750 ouid=lanogbar
> ogid=nobody rdev=00:00
> type=CWD msg=audit(12/13/2013 15:00:03.759:7970202) : cwd=/home/lanogbar/public_html
> type=SYSCALL msg=audit(12/13/2013 15:00:03.759:7970202) : arch=x86_64 syscall=chmod
> success=yes exit=0 a0=1585e520 a1=1ff a2=2f a3=146c1d40 items=1 ppid=27717 pid=8804
auid=root
> uid=lanogbar gid=lanogbar euid=lanogbar suid=lanogbar fsuid=lanogbar egid=lanogbar
> sgid=lanogbar fsgid=lanogbar tty=(none) ses=117304 comm=php exe=/usr/bin/php
> key=lanogbar-public_html
>
> Do you think this is relevant?
> If so it would seem a php script was responsible.
>
> Would you have any suggestion on how to identify the script?
>
> Thank you very much for the very valuable help.
> Kind regards,
> Stefano
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit