Code: Select all
tail -n30 /var/log/audit/audit.log
namei -mo /usr/local/nagios/var/*
egrep 'nag|apach' /etc/passwd
egrep 'nag|apach' /etc/group
Code: Select all
tail -n30 /var/log/audit/audit.log
namei -mo /usr/local/nagios/var/*
egrep 'nag|apach' /etc/passwd
egrep 'nag|apach' /etc/group
Here you have nothing to hide.jolson wrote:Let's take a look at your audit log in addition to your permissions all the way down. Your user and group settings could also be useful. Feel free to hide anything you don't want us to see.
Code: Select all
tail -n30 /var/log/audit/audit.log namei -mo /usr/local/nagios/var/* egrep 'nag|apach' /etc/passwd egrep 'nag|apach' /etc/group
Code: Select all
[root@nagiosesjal ~]# tail -n30 /var/log/audit/audit.log
type=CRYPTO_SESSION msg=audit(1435864143.256:306): user pid=1574 uid=0 auid=0 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 spid=1574 suid=0 rport=49836 laddr=192.168.1.100 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1435864144.771:307): user pid=1574 uid=0 auid=0 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=from-client spid=1574 suid=0 rport=49836 laddr=192.168.1.100 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1435864146.172:308): user pid=1574 uid=0 auid=0 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=from-server spid=1574 suid=0 rport=49836 laddr=192.168.1.100 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=DAEMON_START msg=audit(1435917901.398:2637): auditd start, ver=2.2 format=raw kernel=2.6.32-431.el6.i686 auid=4294967295 pid=1155 subj=system_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1435917901.504:4): audit_backlog_limit=320 old=64 auid=4294967295 ses=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=USER_START msg=audit(1435917903.445:5): user pid=1367 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=CRED_ACQ msg=audit(1435917903.446:6): user pid=1367 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=CRED_DISP msg=audit(1435917903.657:7): user pid=1367 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=USER_END msg=audit(1435917903.657:8): user pid=1367 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=USER_START msg=audit(1435917903.675:9): user pid=1390 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=CRED_ACQ msg=audit(1435917903.675:10): user pid=1390 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=CRED_DISP msg=audit(1435917903.691:11): user pid=1390 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=USER_END msg=audit(1435917903.691:12): user pid=1390 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="nagios" exe="/sbin/runuser" hostname=? addr=? terminal=console res=success'
type=CRYPTO_KEY_USER msg=audit(1435918075.757:13): user pid=1432 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=56:2e:a2:74:75:75:a4:81:f2:a1:8c:9b:df:b4:b1:a9 direction=? spid=1432 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1435918075.757:14): user pid=1432 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=5b:45:e1:a6:05:65:e7:18:f2:68:8c:69:89:dc:a4:33 direction=? spid=1432 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1435918075.759:15): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 spid=1432 suid=74 rport=49380 laddr=192.168.1.100 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1435918075.759:16): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 spid=1432 suid=74 rport=49380 laddr=192.168.1.100 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=USER_AUTH msg=audit(1435918080.278:17): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'
type=USER_ACCT msg=audit(1435918080.281:18): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1435918080.281:19): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1432 suid=74 rport=49380 laddr=192.168.1.100 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=? res=success'
type=USER_AUTH msg=audit(1435918080.282:20): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="root" exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1435918080.282:21): user pid=1431 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'
type=LOGIN msg=audit(1435918080.282:22): pid=1431 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1
type=USER_ROLE_CHANGE msg=audit(1435918080.364:23): user pid=1431 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'
type=USER_START msg=audit(1435918080.367:24): user pid=1431 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'
type=USER_LOGIN msg=audit(1435918080.521:25): user pid=1435 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=/dev/pts/0 res=success'
type=USER_START msg=audit(1435918080.521:26): user pid=1435 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=/dev/pts/0 res=success'
type=CRYPTO_KEY_USER msg=audit(1435918080.528:27): user pid=1435 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=56:2e:a2:74:75:75:a4:81:f2:a1:8c:9b:df:b4:b1:a9 direction=? spid=1435 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=pts/0 res=success'
type=CRYPTO_KEY_USER msg=audit(1435918080.528:28): user pid=1435 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=5b:45:e1:a6:05:65:e7:18:f2:68:8c:69:89:dc:a4:33 direction=? spid=1435 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.1.1 terminal=pts/0 res=success'
type=CRED_REFR msg=audit(1435918080.528:29): user pid=1435 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.1 addr=192.168.1.1 terminal=ssh res=success'
[root@nagiosesjal ~]# namei -mo /usr/local/nagios/var/*
f: /usr/local/nagios/var/archives
dr-xr-xr-x root root /
drwsrwsrwt root root usr
drwsrwsrwt root root local
drwsrwsrwt root root nagios
drwsrwsrwt root root var
drwsrwsrwt root root archives
f: /usr/local/nagios/var/nagios.lock
dr-xr-xr-x root root /
drwsrwsrwt root root usr
drwsrwsrwt root root local
drwsrwsrwt root root nagios
drwsrwsrwt root root var
-rw-r--r-- nagios root nagios.lock
f: /usr/local/nagios/var/nagios.log
dr-xr-xr-x root root /
drwsrwsrwt root root usr
drwsrwsrwt root root local
drwsrwsrwt root root nagios
drwsrwsrwt root root var
-rwxrwxrwt root root nagios.log
f: /usr/local/nagios/var/objects.cache
dr-xr-xr-x root root /
drwsrwsrwt root root usr
drwsrwsrwt root root local
drwsrwsrwt root root nagios
drwsrwsrwt root root var
-rwxrwxrwt root root objects.cache
f: /usr/local/nagios/var/objects.precache
dr-xr-xr-x root root /
drwsrwsrwt root root usr
drwsrwsrwt root root local
drwsrwsrwt root root nagios
drwsrwsrwt root root var
-rwxrwxrwt root root objects.precache
f: /usr/local/nagios/var/retention.dat
dr-xr-xr-x root root /
drwsrwsrwt root root usr
drwsrwsrwt root root local
drwsrwsrwt root root nagios
drwsrwsrwt root root var
-rwxrwxrwt root root retention.dat
f: /usr/local/nagios/var/rw
dr-xr-xr-x root root /
drwsrwsrwt root root usr
drwsrwsrwt root root local
drwsrwsrwt root root nagios
drwsrwsrwt root root var
drwsrwsrwt root root rw
f: /usr/local/nagios/var/spool
dr-xr-xr-x root root /
drwsrwsrwt root root usr
drwsrwsrwt root root local
drwsrwsrwt root root nagios
drwsrwsrwt root root var
drwsrwsrwt root root spool
f: /usr/local/nagios/var/status.dat
dr-xr-xr-x root root /
drwsrwsrwt root root usr
drwsrwsrwt root root local
drwsrwsrwt root root nagios
drwsrwsrwt root root var
-rwxrwxrwt root root status.dat
[root@nagiosesjal ~]# egrep 'nag|apach' /etc/passwd
apache:x:48:48:Apache:/var/www:/sbin/nologin
nagios:x:500:500::/home/nagios:/bin/bash
[root@nagiosesjal ~]# egrep 'nag|apach' /etc/group
apache:x:48:
nagios:x:500:apache
nagcmd:x:501:nagios