audit + php-fpm

audit + php-fpm

[ja ja]

[-- Attachment #1.1: Type: text/plain, Size: 359 bytes --]

Auditd can't catch changes make by php-fpm, when I use bash everything
works fine but when I use script like this :
 <?php
mkdir('kat123');
?>
audit.log show nothing
This is my audit.rules :
-a exit,never -F dir=/var/www/temp/
-a exit,always -F dir=/var/www/ -F perm=wa -k www
How does PHP-FPM alter a file and escape detection by auditd? Is this
auditd bug.

[-- Attachment #1.2: Type: text/html, Size: 452 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit + php-fpm

[Steve Grubb]

On Sunday, October 06, 2013 12:45:05 AM ja ja wrote:
> Auditd can't catch changes make by php-fpm, when I use bash everything
> works fine but when I use script like this :
>  <?php
> mkdir('kat123');
> ?>
> audit.log show nothing
> This is my audit.rules :
> -a exit,never -F dir=/var/www/temp/
> -a exit,always -F dir=/var/www/ -F perm=wa -k www
> How does PHP-FPM alter a file and escape detection by auditd? Is this
> auditd bug.

Not knowing anything about php-fpm...is there any chance that the content it 
accesses is outside of /var/www? Do you have any mount points or symlinks 
somewhere in the /var/www/ directory tree?

-Steve