parameters of command in audit.log
Posted: 2019/04/15 08:38:16
Hello,
I need help with configuring or understanding auditd service.
My problem is that i do not see parameters of lets say chmod. I see that it was used, but i do not know what was the parameter (i want to search for files where +x permissions was added). Bellow i am presenting chmod log from audit.log. I used chmod 777 on file testtest.sh and i see that log:
type=SYSCALL msg=audit(1555317071.522:85615285): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=9980f0 a2=1ff a3=7ffc0a2bd160 items=1 ppid=3553 pid=6592 auid=1023 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=52335 comm="chmod" exe="/usr/bin/chmod" key="perm_mod"
type=CWD msg=audit(1555317071.522:85615285): cwd="/root"
type=PATH msg=audit(1555317071.522:85615285): item=0 name="testtest.sh" inode=1716 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1555317071.522:85615285): proctitle=63686D6F64003737370074657374746573742E7368
I see command was used but i do not see what permission was granted. At this log i still see old permission under mode=
Could you please advise?
Best Regards!
I need help with configuring or understanding auditd service.
My problem is that i do not see parameters of lets say chmod. I see that it was used, but i do not know what was the parameter (i want to search for files where +x permissions was added). Bellow i am presenting chmod log from audit.log. I used chmod 777 on file testtest.sh and i see that log:
type=SYSCALL msg=audit(1555317071.522:85615285): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=9980f0 a2=1ff a3=7ffc0a2bd160 items=1 ppid=3553 pid=6592 auid=1023 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=52335 comm="chmod" exe="/usr/bin/chmod" key="perm_mod"
type=CWD msg=audit(1555317071.522:85615285): cwd="/root"
type=PATH msg=audit(1555317071.522:85615285): item=0 name="testtest.sh" inode=1716 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1555317071.522:85615285): proctitle=63686D6F64003737370074657374746573742E7368
I see command was used but i do not see what permission was granted. At this log i still see old permission under mode=
Could you please advise?
Best Regards!