Getting Process name instead of PPID

nehal dattani nehal.dattani at gmail.com
Fri Sep 9 18:31:52 UTC 2011 

Hi,

I have a strange issue with iptables on my server. It was getting loaded
automatically even if i stopped it. I set auditing but couldn't find what
REALLY triggers iptables.
Here's snip from ausearch output


----
time->Thu Sep  8 20:12:35 2011
type=PATH msg=audit(1315492955.754:891146): item=1 name=(null)
inode=17465407 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1315492955.754:891146): item=0 name="/sbin/iptables"
inode=32210958 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1315492955.754:891146):  cwd="/root"
type=EXECVE msg=audit(1315492955.754:891146): argc=2 a0="iptables" a1="-L"
type=SYSCALL msg=audit(1315492955.754:891146): arch=c000003e syscall=59
success=yes exit=0 a0=1c70fbc0 a1=1c6ff6f0 a2=1c6effe0 a3=8 items=2
ppid=11061 pid=11622 auid=11001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts1 ses=92491 comm="iptables" exe="/sbin/iptables"
key="iptable_load_audit"
----
time->Thu Sep  8 20:23:28 2011
type=PATH msg=audit(1315493608.196:891434): item=1 name=(null)
inode=17465407 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1315493608.196:891434): item=0 name="/sbin/iptables"
inode=32210958 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1315493608.196:891434):  cwd="/"
type=EXECVE msg=audit(1315493608.196:891434): argc=9 a0="/sbin/iptables"
a1="--table" a2="nat" a3="--delete" a4="POSTROUTING" a5="--source" a6="
192.168.122.0/255.255.255.0" a7="--jump" a8="MASQUERADE"
type=SYSCALL msg=audit(1315493608.196:891434): arch=c000003e syscall=59
success=yes exit=0 a0=5527080 a1=5530840 a2=7fffcda0bf60 a3=3ce1e16220
items=2 ppid=5564 pid=17660 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables"
exe="/sbin/iptables" key="iptable_load_audit"

Notable difference between two entries are of tty. In second, it says
tty=none. based on this,It can be concluded that some application is
accessing iptables. I believe that if i can get name of PPID, it can help me
in tracing this further.

Any advice?

Regards,
Nehal Dattani
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20110910/a30f9d6f/attachment.htm>

More information about the Linux-audit mailing list