HI Barry, Ok well the permissions change happened again! And this time I was able to capture some output thanks to your helpful tip on how to handle the situation. However I'm not sure how to interpret the output I got and was wondering if I could have some help with that. time->Wed May 28 22:59:43 2014 type=PATH msg=audit(1401332383.684:68621): item=0 name="/var/www/ design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0 type=CWD msg=audit(1401332383.684:68621): cwd="/" type=SYSCALL msg=audit(1401332383.684:68621): arch=c000003e syscall=2 success=yes exit=20 a0=10172470 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1 ppid=14096 pid=14141 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file" ---- time->Wed May 28 22:59:43 2014 type=PATH msg=audit(1401332383.685:68622): item=0 name="/var/www/ design.mywebsite.com/htdocs/_swf/home/navart/draw6.swf" inode=391665 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0 type=CWD msg=audit(1401332383.685:68622): cwd="/" type=SYSCALL msg=audit(1401332383.685:68622): arch=c000003e syscall=2 success=yes exit=20 a0=10172088 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14141 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file" ---- time->Wed May 28 22:59:43 2014 type=PATH msg=audit(1401332383.686:68623): item=0 name="/var/www/ design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0 type=CWD msg=audit(1401332383.686:68623): cwd="/" type=SYSCALL msg=audit(1401332383.686:68623): arch=c000003e syscall=2 success=yes exit=20 a0=10169430 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1 ppid=14096 pid=14110 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file" ---- time->Wed May 28 22:59:43 2014 type=PATH msg=audit(1401332383.687:68624): item=0 name="/var/www/ design.mywebsite.com/htdocs/_swf/home/navart/draw5.swf" inode=391664 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0 type=CWD msg=audit(1401332383.687:68624): cwd="/" type=SYSCALL msg=audit(1401332383.687:68624): arch=c000003e syscall=2 success=yes exit=20 a0=10169048 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14110 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file" ---- time->Wed May 28 22:59:43 2014 type=PATH msg=audit(1401332383.701:68625): item=0 name="/var/www/ design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0 type=CWD msg=audit(1401332383.701:68625): cwd="/" type=SYSCALL msg=audit(1401332383.701:68625): arch=c000003e syscall=2 success=yes exit=20 a0=101764f0 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1 ppid=14096 pid=14114 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file" ---- time->Wed May 28 22:59:43 2014 type=PATH msg=audit(1401332383.703:68626): item=0 name="/var/www/ design.mywebsite.com/htdocs/_swf/wrapper/module_theDish.swf" inode=472086 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0 type=CWD msg=audit(1401332383.703:68626): cwd="/" type=SYSCALL msg=audit(1401332383.703:68626): arch=c000003e syscall=2 success=yes exit=20 a0=10176100 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14114 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file" Thanks Tim On Wed, May 28, 2014 at 10:47 PM, Tim Dunphy <bluethundr at gmail.com> wrote: > I believe auditctl could help: >> < >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Defining_Audit_Rules_and_Controls.html >> > >> < >> http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html >> > > > > Thanks Barry.. I'll five this a try > > > On Wed, May 28, 2014 at 10:39 PM, Barry Brimer <lists at brimer.org> wrote: > >> >> <snip> >> > What I need to do is to figure out how to determine what exactly is >> > changing the permissions on that directory's files so that I can put an >> end >> > to it. Right now I have a chown -Rv 775 running on the directory every 5 >> > minutes. But that is just going to contribute to load and can't be a >> > permanent solution. >> > >> > The directory in question is on an NFS share. However I am unsure of >> that >> > being the cause. >> > >> > I'm afraid that I am at a loss for troubleshooting steps here. Can >> someone >> > please help me find some ways to track this down and put an end to this? >> >> I believe auditctl could help: >> >> < >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Defining_Audit_Rules_and_Controls.html >> > >> < >> http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html >> > >> >> Barry >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B