auditd does not record actiosn by apache/php

Asked Dec 15 '22 at 14:02

Active Dec 15 '22 at 14:02

Viewed 63 times

I have a PHP/Apache2-based webservice and I want to audit every file-IO action it does.

I use auditd as recommended here.

I set up audit.d like this

## enable ruleset
-e 1
limit rate
-r 1000
monitor
-w /var/www/html/my/path/ -p rwxa -k toplevel_my_app

The auditd.conf is kept as default.

Whenever I touch anything in /var/www/html/my/path/ with whatever program it gets logged in /var/www/html/my/path/ as expected. But when the webservice does, nothing is recorded.

When I make a simple PHP script which writes to a file in the folder, and I call it from CLI, the action gets logged. When I call the very same script via apache/localhost it doesn't get get logged.

What am I doing wrong?

I am on Debian 11 (Debian 5.10.149-2) and use PHP 8.1.13.

asked Dec 15 '22 at 14:02

Paflow

did you find any solution for this? I have the same problem. – ponciste Nov 24 '23 at 12:51
@ponciste I think it had something to do with the user. Apache is another user than me on the CLI. – Paflow Nov 29 '23 at 11:56

auditd does not record actiosn by apache/php

limit rate

monitor

0 Answers0