need help interpreting ausearch results
Hello,
Thank you Steve and all for keeping up the great work here.
Some time ago I setup some audit rules to monitor what would change the
permissions of the public_html directory since we found that once in a
while it would change to 777 out of the blue.
It happened again yesterday and I believe these parts of the log
represent when the issue happened:
type=PATH msg=audit(1386933561.795:7958476): item=2 name="./www"
inode=4980752 dev=08:08 mode=0120777 ouid=501 ogid=501 rdev=00:00
type=PATH msg=audit(1386933561.795:7958476): item=1 name="./"
inode=4980737 dev=08:08 mode=040711 ouid=501 ogid=501 rdev=00:00
type=PATH msg=audit(1386933561.795:7958476): item=0 name="public_html"
type=CWD msg=audit(1386933561.795:7958476): cwd="/home/lanogbar"
type=SYSCALL msg=audit(1386933561.795:7958476): arch=c000003e syscall=88
success=yes exit=0 a0=1306d160 a1=1306d200 a2=11 a3=0 items=3 ppid=18728
pid=18731 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501
sgid=501 fsgid=501 tty=(none) ses=117304 comm="gtar" exe="/bin/tar"
key="lanogbar-www"
This is just a guess though and I can not be sure as I have no
experience parsing the logs. Looking through with the I flag we can see
the following::
type=PATH msg=audit(12/13/2013 15:00:03.759:7970202) : item=0
name=/home/lanogbar/public_html/ inode=4980744 dev=08:08 mode=dir,750
ouid=lanogbar ogid=nobody rdev=00:00
type=CWD msg=audit(12/13/2013 15:00:03.759:7970202) :
cwd=/home/lanogbar/public_html
type=SYSCALL msg=audit(12/13/2013 15:00:03.759:7970202) : arch=x86_64
syscall=chmod success=yes exit=0 a0=1585e520 a1=1ff a2=2f a3=146c1d40
items=1 ppid=27717 pid=8804 auid=root uid=lanogbar gid=lanogbar
euid=lanogbar suid=lanogbar fsuid=lanogbar egid=lanogbar sgid=lanogbar
fsgid=lanogbar tty=(none) ses=117304 comm=php exe=/usr/bin/php
key=lanogbar-public_html
Do you think this is relevant?
If so it would seem a php script was responsible.
Would you have any suggestion on how to identify the script?
Thank you very much for the very valuable help.
Kind regards,
Stefano