1

The other day I set up a little shell script on a Debian server to send me an email when files change; it looks like this:

#!/bin/sh

items=`find /var/www/vhosts -regex ".*/httpdocs/.*" -newer files_start -ls`
if [ ! -z "$items" ]
then
 touch files_start
 echo "$items" | mail -s "new file(s)" "security@example.com"
fi

I kept getting notified of one mysterious 0-length text file (web-accessible, writable by PHP and the vhost user, but not Apache) getting modified 2-3 times a day, so I set up auditd with the following rule.

auditctl -l
LIST_RULES: exit,always watch=/var/www/vhosts/path/to/file.txt perm=rwa key=wh1

I tested it and with ausearch got, as expected:

...comm="touch" exe="/bin/touch"...

After getting the next email with the new mod date, I ran ausearch: no new matches!

How can this happen?

----UPDATE----

I discovered by other means that the process is PHP running as fastCGI invoked by Apache. The PHP function call is:

touch('path/to/file.txt');

So the question becomes: How does fastCGI PHP alter a file and escape detection by auditd? This is beginning to look like an auditd bug.

Peter Rowntree
  • 154
  • 3

1 Answers1

0

Delete that rule and try this:

auditctl -w <path-to-file> -p wa -k mystery-file

Also make sure /etc/init.d/auditd is started.

Aaron Tate
  • 1,222
  • 7
  • 9
  • Thanks for the answer fenix, but that's essentially the auditctl call that generated the rule listed by auditctl -l, and auditd is definitely running. Any time I touch or cp or rm or ls or do anything to that file I get a log entry that shows up in ausearch. – Peter Rowntree Aug 24 '13 at 08:19