On 19-02-2022 16:25, Florian Zieboll via Dng wrote:
Hallo list,may I ask for help narrowing down a strange phenomenon? Any files in my personal '~/tmp/' directory just disappear after a couple of minutes. I was able to catch the event with 'auditd' - I seems to be executed in a bash within a qterminal, running as child of PID 1: The 'audit.log' shows an 'exe="/bin/rm"' with 'ppid 8290' in the first line, caught with # auditctl -w /home/florian/tmp/test -p wa ; tail -f /var/log/audit/audit.log type=SYSCALL msg=audit(1645279145.766:65): arch=c000003e syscall=263 success=yes exit=0 a0=ffffff9c a1=5604372f44d0 a2=0 a3=fffffffffffff2cb items=2 ppid=8290 pid=8292 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts2 ses=1 comm="rm" exe="/bin/rm" subj==unconfined key=(null)ARCH=x86_64 SYSCALL=unlinkat AUID="florian" UID="florian" GID="florian" EUID="florian" SUID="florian" FSUID="florian" EGID="florian" SGID="florian" FSGID="florian" type=CWD msg=audit(1645279145.766:65): cwd="/home/florian" type=PATH msg=audit(1645279145.766:65): item=0 name="/home/florian/tmp/" inode=6294470 dev=103:03 mode=040755 ouid=1001 ogid=1001 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PATH msg=audit(1645279145.766:65): item=1 name="/home/florian/tmp/test" inode=6301858 dev=103:03 mode=0100644 ouid=1001 ogid=1001 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="florian" OGID="florian" type=PROCTITLE msg=audit(1645279145.766:65): proctitle=726D002D7266002F686F6D652F666C6F7269616E2F746D702F74657374 type=USER_AUTH msg=audit(1645279157.578:66): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:authentication grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_ACCT msg=audit(1645279157.578:67): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:accounting grantors=pam_permit acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=CRED_ACQ msg=audit(1645279157.578:68): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" type=USER_START msg=audit(1645279157.582:69): pid=8301 uid=1001 auid=1001 ses=1 subj==unconfined msg='op=PAM:session_open grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_unix,pam_elogind acct="administrator" exe="/bin/su" hostname=nulldevice.lan addr=? terminal=pts/2 res=success'UID="florian" AUID="florian" And here the relevant snippet of 'ps axjf': PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 1 8287 8286 8286 ? -1 Rl 1001 0:01 /usr/bin/qterminal 8287 8290 8290 8290 pts/2 8358 Ss 1001 0:00 \_ /bin/bash As I suspect that I might have installed a routine that regularly deletes the content of ~/tmp, I checked for crontab entries, but neither of the two follwing commands return a result: # grep -re tmp /etc/cron* # grep -re tmp /var/spool/cron/ Besides that: Wouldn't a cronjob have 'crond' as parent? Thank you very much for any hints leading to more insight! Libre Grüße, Florian
Probably not helpful too but does auth.log show something from the use of exec=¨/bin/su" ?
Grtz Nick _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
