HI Barry,
Ok well the permissions change happened again! And this time I was able to capture some output thanks to your helpful tip on how to handle the situation.
However I'm not sure how to interpret the output I got and was wondering if I could have some help with that.
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.684:68621): item=0 name="/var/www/ design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.684:68621): cwd="/"
type=SYSCALL msg=audit(1401332383.684:68621): arch=c000003e syscall=2 success=yes exit=20 a0=10172470 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1 ppid=14096 pid=14141 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
----
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.685:68622): item=0 name="/var/www/ design.mywebsite.com/htdocs/_swf/home/navart/draw6.swf" inode=391665 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.685:68622): cwd="/"
type=SYSCALL msg=audit(1401332383.685:68622): arch=c000003e syscall=2 success=yes exit=20 a0=10172088 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14141 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
----
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.686:68623): item=0 name="/var/www/ design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.686:68623): cwd="/"
type=SYSCALL msg=audit(1401332383.686:68623): arch=c000003e syscall=2 success=yes exit=20 a0=10169430 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1 ppid=14096 pid=14110 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
----
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.687:68624): item=0 name="/var/www/ design.mywebsite.com/htdocs/_swf/home/navart/draw5.swf" inode=391664 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.687:68624): cwd="/"
type=SYSCALL msg=audit(1401332383.687:68624): arch=c000003e syscall=2 success=yes exit=20 a0=10169048 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14110 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
----
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.701:68625): item=0 name="/var/www/ design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.701:68625): cwd="/"
type=SYSCALL msg=audit(1401332383.701:68625): arch=c000003e syscall=2 success=yes exit=20 a0=101764f0 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1 ppid=14096 pid=14114 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
----
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.703:68626): item=0 name="/var/www/ design.mywebsite.com/htdocs/_swf/wrapper/module_theDish.swf" inode=472086 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.703:68626): cwd="/"
type=SYSCALL msg=audit(1401332383.703:68626): arch=c000003e syscall=2 success=yes exit=20 a0=10176100 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14114 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
Thanks
Tim
On Wed, May 28, 2014 at 10:47 PM, Tim Dunphy bluethundr@gmail.com wrote:
I believe auditctl could help:
< https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
< http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a...
Thanks Barry.. I'll five this a try
On Wed, May 28, 2014 at 10:39 PM, Barry Brimer lists@brimer.org wrote:
<snip> > What I need to do is to figure out how to determine what exactly is > changing the permissions on that directory's files so that I can put an end > to it. Right now I have a chown -Rv 775 running on the directory every 5 > minutes. But that is just going to contribute to load and can't be a > permanent solution. > > The directory in question is on an NFS share. However I am unsure of that > being the cause. > > I'm afraid that I am at a loss for troubleshooting steps here. Can someone > please help me find some ways to track this down and put an end to this?
I believe auditctl could help:
< https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
< http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a...
Barry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B