[CentOS] files automatically changing permissionssdsds

Thu May 29 03:03:38 UTC 2014
Tim Dunphy <bluethundr at gmail.com>

HI Barry,

Ok well the permissions change happened again! And this time I was able to
capture some output thanks to your helpful tip on how to handle the
situation.

However I'm not sure how to interpret the output I got and was wondering if
I could have some help with that.

time->Wed May 28 22:59:43 2014

type=PATH msg=audit(1401332383.684:68621): item=0 name="/var/www/
design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775
ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0

type=CWD msg=audit(1401332383.684:68621):  cwd="/"

type=SYSCALL msg=audit(1401332383.684:68621): arch=c000003e syscall=2
success=yes exit=20 a0=10172470 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1
ppid=14096 pid=14141 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd"
exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0
key="shadow-file"

----

time->Wed May 28 22:59:43 2014

type=PATH msg=audit(1401332383.685:68622): item=0 name="/var/www/
design.mywebsite.com/htdocs/_swf/home/navart/draw6.swf" inode=391665
dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00
obj=system_u:object_r:nfs_t:s0

type=CWD msg=audit(1401332383.685:68622):  cwd="/"

type=SYSCALL msg=audit(1401332383.685:68622): arch=c000003e syscall=2
success=yes exit=20 a0=10172088 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14141
auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd"
subj=user_u:system_r:unconfined_t:s0 key="shadow-file"

----

time->Wed May 28 22:59:43 2014

type=PATH msg=audit(1401332383.686:68623): item=0 name="/var/www/
design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775
ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0

type=CWD msg=audit(1401332383.686:68623):  cwd="/"

type=SYSCALL msg=audit(1401332383.686:68623): arch=c000003e syscall=2
success=yes exit=20 a0=10169430 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1
ppid=14096 pid=14110 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd"
exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0
key="shadow-file"

----

time->Wed May 28 22:59:43 2014

type=PATH msg=audit(1401332383.687:68624): item=0 name="/var/www/
design.mywebsite.com/htdocs/_swf/home/navart/draw5.swf" inode=391664
dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00
obj=system_u:object_r:nfs_t:s0

type=CWD msg=audit(1401332383.687:68624):  cwd="/"

type=SYSCALL msg=audit(1401332383.687:68624): arch=c000003e syscall=2
success=yes exit=20 a0=10169048 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14110
auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd"
subj=user_u:system_r:unconfined_t:s0 key="shadow-file"

----

time->Wed May 28 22:59:43 2014

type=PATH msg=audit(1401332383.701:68625): item=0 name="/var/www/
design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775
ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0

type=CWD msg=audit(1401332383.701:68625):  cwd="/"

type=SYSCALL msg=audit(1401332383.701:68625): arch=c000003e syscall=2
success=yes exit=20 a0=101764f0 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1
ppid=14096 pid=14114 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd"
exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0
key="shadow-file"

----

time->Wed May 28 22:59:43 2014

type=PATH msg=audit(1401332383.703:68626): item=0 name="/var/www/
design.mywebsite.com/htdocs/_swf/wrapper/module_theDish.swf" inode=472086
dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00
obj=system_u:object_r:nfs_t:s0

type=CWD msg=audit(1401332383.703:68626):  cwd="/"

type=SYSCALL msg=audit(1401332383.703:68626): arch=c000003e syscall=2
success=yes exit=20 a0=10176100 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14114
auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd"
subj=user_u:system_r:unconfined_t:s0 key="shadow-file"


Thanks


Tim


On Wed, May 28, 2014 at 10:47 PM, Tim Dunphy <bluethundr at gmail.com> wrote:

> I believe auditctl could help:
>> <
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Defining_Audit_Rules_and_Controls.html
>> >
>> <
>> http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
>> >
>
>
> Thanks Barry.. I'll five this a try
>
>
> On Wed, May 28, 2014 at 10:39 PM, Barry Brimer <lists at brimer.org> wrote:
>
>>
>> <snip>
>> > What I need to do is to figure out how to determine what exactly is
>> > changing the permissions on that directory's files so that I can put an
>> end
>> > to it. Right now I have a chown -Rv 775 running on the directory every 5
>> > minutes. But that is just going to contribute to load and can't be a
>> > permanent solution.
>> >
>> > The directory in question is on an NFS share. However I am unsure of
>> that
>> > being the cause.
>> >
>> > I'm afraid that I am at a loss for troubleshooting steps here. Can
>> someone
>> > please help me find some ways to track this down and put an end to this?
>>
>> I believe auditctl could help:
>>
>> <
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Defining_Audit_Rules_and_Controls.html
>> >
>> <
>> http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
>> >
>>
>> Barry
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B