On 19-02-2022 16:25, Florian Zieboll via Dng wrote:
> Hallo list,
>
> may I ask for help narrowing down a strange phenomenon?
>
> Any files in my personal '~/tmp/' directory just disappear after a
> couple of minutes. I was able to catch the event with 'auditd' - I seems
> to be executed in a bash within a qterminal, running as child of PID 1:
>
> The 'audit.log' shows an 'exe="/bin/rm"' with 'ppid 8290' in the first
> line, caught with
>
> # auditctl -w /home/florian/tmp/test -p wa ; tail -f /var/log/audit/audit.log
>
> type=SYSCALL msg=audit(1645279145.766:65): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=5604372f44d0 a2=0 a3=fffffffffffff2cb items=2 ppid=8290 pid=8292 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=1 comm="rm" exe="/bin/rm" subj==unconfined key=(null)ARCH=x86_64 SYSCALL=unlinkat AUID="florian" UID="florian" GID="florian" EUID="florian" SUID="florian" FSUID="florian" EGID="florian" SGID="florian" FSGID="florian"
> type=CWD msg=audit(1645279145.766:65): cwd="/home/florian"
> type=PATH msg=audit(1645279145.766:65): item=0 name="/home/florian/tmp/" inode=6294470 dev=103:03 mode=040755 ouid=1001 ogid=1001 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian"
> type=PATH msg=audit(1645279145.766:65): item=1 name="/home/florian/tmp/test" inode=6301858 dev=103:03 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian"
> type=PROCTITLE msg=audit(1645279145.766:65): proctitle=726D002D7266002F686F6D652F666C6F7269616E2F746D702F74657374
> type=USER_AUTH msg=audit(1645279157.578:66): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian"
> type=USER_ACCT msg=audit(1645279157.578:67): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian"
> type=CRED_ACQ msg=audit(1645279157.578:68): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian"
> type=USER_START msg=audit(1645279157.582:69): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_unix,pam_elogind acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian"
>
>
> And here the relevant snippet of 'ps axjf':
>
> PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND
> 1 8287 8286 8286 ? -1 Rl 1001 0:01 /usr/bin/qterminal
> 8287 8290 8290 8290 pts/2 8358 Ss 1001 0:00 \_ /bin/bash
>
>
> As I suspect that I might have installed a routine that regularly deletes
> the content of ~/tmp, I checked for crontab entries, but neither of the
> two follwing commands return a result:
>
> # grep -re tmp /etc/cron*
> # grep -re tmp /var/spool/cron/
>
> Besides that: Wouldn't a cronjob have 'crond' as parent?
>
> Thank you very much for any hints leading to more insight!
>
> Libre Grüße,
> Florian
Probably not helpful too but does auth.log show something from the use
of exec=¨/bin/su" ?
Grtz
Nick
::
Re: [DNG] [OT] files disappearing r…
