4

I'm having an issue with a cPanel shared server running CentOS 5 where a few directories under the public_html folder keep getting changed to 777 from 755. The customer says they are not changing it and i'm wondering if there is a way to monitor these specific directories to find out who/what is changing the permissions.

I have looked into using auditctl and after testing it and changing the permissions myself I don't see anything in the logs so i'm not sure if i'm doing it right or if it's even possible.

Does anybody have any suggestions or ideas on how I could figure out what is changing the permissions?

Thanks!!

sMyles
  • 153
  • 1
  • 1
  • 8

1 Answers1

4

auditd works for me..

created a file named /var/www/html/1

Edited /etc/audit/audit.rules and added following and restarted auditd.

-w /var/www/html/1

Then ran following command.

# chmod 777 /var/www/html/1

In /var/log/audit/audit.log I saw following,

type=SYSCALL msg=audit(1349582090.742:414): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=17be0f0 a2=1ff a3=4000 items=1 ppid=2859 pid=3069 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1349582090.742:414):  cwd="/root"
type=PATH msg=audit(1349582090.742:414): item=0 name="/var/www/html/1" inode=6171184 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:httpd_sys_content_t:s0

Tested in Fedora 17.

Minto Joseph
  • 146
  • 3
  • 1
    Yup works great, here's a site with some useful info too: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html – sMyles Mar 13 '13 at 15:25