How do I find which process is causing a file to lose its permissions?

Question

Yesterday one of our servers was having a problem, and it turned out the file /etc/init.d/nfs-kernel-server had lost it's permissions, they were reported as just ------------. Setting the permissions back to the same as the other files resolved the issue, and I'm wanting now to debug what happened. Is there anyway to get a log of when a files permissions changed, and why?

Answer 1

There's no default log for these kinds of actions, you need to set it up in advance.

You might consider using auditd, and configuring it to look for changes in the files you're finding with their permissions changed. You can then find information about which users and processes changed which files.

For example, you could do something like this ad-hoc:

auditctl -w /etc/init.d/nfs-kernel-server -k nfs-kernel-server

You can also add this to /etc/audit/audit.rules for long term use:

cat > /etc/audit/audit.rules << 'EOF'
-w /etc/init.d/nfs-kernel-server
EOF

After this, you need to start and enable auditd. On most systemd distributions, this can be done like so:

systemctl enable auditd
systemctl start auditd

For non-systemd systems, you will want to consult your documentation, but it is probably a service named "auditd".

After that you can consult logs at /var/log/audit/audit.log, or wherever auditd is configured to log. You will see results like this:

type=SYSCALL msg=audit(1349582090.742:414): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=17be0f0 a2=1ff a3=4000 items=1 ppid=2859 pid=3069 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1349582090.742:414):  cwd="/root"
type=PATH msg=audit(1349582090.742:414): item=0 name="/var/www/html/1" inode=6171184 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:httpd_sys_content_t:s0