So i setup an audit, and it seems periodically config.php is deleted and a new version created with crond with the owner as root. Any idea how to resolve this? Thanks.
type=PATH msg=audit(1485399901.940:35852): item=2 name=”/var/www/html/wp-content/wflogs/config.tmp.tUtCnA” inode=1033038 dev=fd:01 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:httpd_sys_rw_content_t:s0 objtype=DELETE
type=PATH msg=audit(1485399901.940:35852): item=3 name=”/var/www/html/wp-content/wflogs/config.php” inode=1033068 dev=fd:01 mode=0100660 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_sys_rw_content_t:s0 objtype=DELETE
Triggered to record file name path information.
type=PATH msg=audit(1485399901.940:35852): item=4 name=”/var/www/html/wp-content/wflogs/config.php” inode=1033038 dev=fd:01 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:httpd_sys_rw_content_t:s0 objtype=CREATE
Triggered when a user disposes of user-space credentials.
type=CRED_DISP msg=audit(1485399901.945:35853): pid=32752 uid=0 auid=0 ses=4155 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:setcred grantors=pam_env,pam_unix acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’
Triggered when a user-space session is terminated.
type=USER_END msg=audit(1485399901.946:35854): pid=32752 uid=0 auid=0 ses=4155 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’
type=SYSCALL msg=audit(1485399938.097:35855): arch=c000003e syscall=90 success=no exit=-1 a0=7fd69fdb1498 a1=1b0 a2=7fd69a4e0640 a3=7fd69a4b7640 items=1 ppid=26266 pid=30830 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=”httpd” exe=”/usr/sbin/httpd” subj=system_u:system_r:httpd_t:s0 key=”configphp-changed”
