3

I'm working on a Cent 6 Cpanel machine, and some mystery script is changing the permissions of home directories (!) to 777. I've ruled out all the easy fixes, so I just need to set up a watch on the directory and wait until it happens again.

The trouble is, my current rule:

`auditctl -w /home -pa -k homedir_perm_changes`

is watching the entire home directory recursively, and this partition stores emails and documentroots, so there's entirely too much information.

How can I pare down my rule such that it watches only the directories directly under /home, and not the entire (huge) directory tree beneath it?

Thanks!

steve c c
  • 158
  • 5
  • That is probably some not-so-bright user following some less-than-intelligent recipe to "make things work" by using `chmod(1)` at random... see the modification times of the directories, hunt down the affected users, and check if they did it (unless this is across the board, that is; in that case you have a _much_ more serious problem in your hands). – vonbrand Mar 02 '13 at 16:19
  • Yeah, it's definitely affecting multiple users. It's gotta be root doing it. Fortunately, side effects have been fairly limited. It's probably some cpanel silliness. – steve c c Mar 05 '13 at 13:41

1 Answers1

2

It seems like this option is not implemented yet. Might be a technical limitation as system calls on inodes are watched.

Just an idea: You could work around this limitation with a good grep, for example:

ausearch -i -k yourauditkey | grep "name=/etc/ "

(Note the space after /etc/) It is dirty, but should help you, because it crops all subdirectories out of it.

  • Yes, That's what I had planned on doing. I'm more worried about the auditd log filling up though, since that partition gets a ton of disk traffic :-/ – steve c c Mar 05 '13 at 13:39