Want more timely Centmin Mod News Updates?
Become a Member

Nginx nginx is down?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Umit, Dec 22, 2017.

  1. Umit

    Umit New Member

    20
    3
    3
    Nov 15, 2016
    Ratings:
    +3
    Local Time:
    5:20 PM
    Hi, my nginx is down. i am trying to restart:

    Restarting nginx (via systemctl): Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

    [FAILED]

    # systemctl status nginx.service
    Code:
    ● nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
    
    
       Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
    
    
       Active: failed (Result: exit-code) since Fri 2017-12-22 08:06:20 UTC; 1min 14s ago
    
    
        Docs: man:systemd-sysv-generator(8)
    
    
      Process: 4613 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
    
    
    
    Dec 22 08:06:20 server.mydomain.com systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
    
    
    Dec 22 08:06:20 server.mydomain.com nginx[4613]: Starting nginx: nginx: [emerg] duplicate location "/src/" in /usr/local/nginx/conf/conf.d/thatdomain.com.ssl.conf:92
    
    
    Dec 22 08:06:20 server.mydomain.com nginx[4613]: [FAILED]
    
    
    Dec 22 08:06:20 server.mydomain.com systemd[1]: nginx.service: control process exited, code=exited status=1
    
    
    Dec 22 08:06:20 server.mydomain.com systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
    
    
    Dec 22 08:06:20 server.mydomain.com systemd[1]: Unit nginx.service entered failed state.
    
    
    Dec 22 08:06:20 server.mydomain.com systemd[1]: nginx.service failed.
    
     
  2. noly

    noly Premium Member Premium Member

    88
    11
    8
    Jul 24, 2017
    Germany
    Ratings:
    +22
    Local Time:
    4:20 PM
    1.13.x
    10.x
    Hi @Umit, please post the content of the file:

    /usr/local/nginx/conf/conf.d/thatdomain.com.ssl.conf
     
  3. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    test your nginx config via command below.. what output do you get ?
    Code (Text):
    nginx -t
    

    did you or anyone who logged into your server recently edit nginx vhost config files ? improper edit could of caused nginx to fail to restart

    in future if you want to track files and when they were edited and by who and when, centmin mod 123.09beta01 has optional support to install auditd via tools/auditd.sh outlined at Centmin Mod Auditd Support Added In Latest 123.09beta01

    understanding and using auditd is left to end user to do themselves as there's no support provided by me.
     
  4. Umit

    Umit New Member

    20
    3
    3
    Nov 15, 2016
    Ratings:
    +3
    Local Time:
    5:20 PM
    Code:
    
    #x# HTTPS-DEFAULT
    
    
    server {
    
    
    
      server_name thatdomain.com www.thatdomain.com;
    
    
      return 302 https://$server_name$request_uri;
    
    
    }
    
    
    
    server {
    
    
      listen 443 ssl http2;
    
    
      server_name thatdomain.com www.thatdomain.com;
    
    
    
      include /usr/local/nginx/conf/ssl/thatdomain.com/thatdomain.com.crt.key.conf;
    
    
      include /usr/local/nginx/conf/ssl_include.conf;
    
    
    
      http2_max_field_size 16k;
    
    
      http2_max_header_size 32k;
    
    
      # mozilla recommended
    
    
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:$
    
    
      ssl_prefer_server_ciphers   on;
    
    
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
    
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
    
    
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    
    
      #add_header X-Frame-Options SAMEORIGIN;
    
    
      #add_header X-Xss-Protection "1; mode=block" always;
    
    
      #add_header X-Content-Type-Options "nosniff" always;
    
    
      #spdy_headers_comp 5;
    
    
      ssl_buffer_size 1369;
    
    
      ssl_session_tickets on;
    
    
    
      # enable ocsp stapling
    
    
      resolver 8.8.8.8 8.8.4.4 valid=10m;
    
    
      resolver_timeout 10s;
    
    
      ssl_stapling on;
    
    
      ssl_stapling_verify on;
    
    
    
    # ngx_pagespeed & ngx_pagespeed handler
    
    
    #include /usr/local/nginx/conf/pagespeed.conf;
    
    
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    
    
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    
    
      # limit_conn limit_per_ip 16;
    
    
      # ssi  on;
    
    
    
      access_log /home/nginx/domains/thatdomain.com/log/access.log combined buffer=256k flush=5m;
    
    
      error_log /home/nginx/domains/thatdomain.com/log/error.log;
    
    
     
  5. Umit

    Umit New Member

    20
    3
    3
    Nov 15, 2016
    Ratings:
    +3
    Local Time:
    5:20 PM
    the site is back, interestingly... just after i told to a guy who manages my server........
    i am not convinced there was an issue that could caused this. i suspect intentional sabotage.
     
  6. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    your nginx vhost doesn't look like was completely posted ? ensure your ssh client's scroll back history buffer is raised to higher level i.e. 128000 lines so you can properly display content from commands like below which output content of file /usr/local/nginx/conf/conf.d/thatdomain.com.ssl.conf
    Code (Text):
    cat /usr/local/nginx/conf/conf.d/thatdomain.com.ssl.conf
    

    then highlight the content in ssh client's output window and copy and paste
     
  7. Umit

    Umit New Member

    20
    3
    3
    Nov 15, 2016
    Ratings:
    +3
    Local Time:
    5:20 PM
    i am using mac's terminal, can i increase for it?
     
  8. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    never used Mac myself so best to google = LMGTFY ;)
     
  9. Umit

    Umit New Member

    20
    3
    3
    Nov 15, 2016
    Ratings:
    +3
    Local Time:
    5:20 PM
    ok, i did it: :)
    Code:
    #x# HTTPS-DEFAULT
    
    server {
    
    
      server_name thatdomain.com www.thatdomain.com;
    
      return 302 https://$server_name$request_uri;
    
    }
    
    
    server {
    
      listen 443 ssl http2;
    
      server_name thatdomain.com www.thatdomain.com;
    
    
      include /usr/local/nginx/conf/ssl/thatdomain.com/thatdomain.com.crt.key.conf;
    
      include /usr/local/nginx/conf/ssl_include.conf;
    
    
      http2_max_field_size 16k;
    
      http2_max_header_size 32k;
    
      # mozilla recommended
    
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-$
    
      ssl_prefer_server_ciphers   on;
    
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
    
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    
      #add_header X-Frame-Options SAMEORIGIN;
    
      #add_header X-Xss-Protection "1; mode=block" always;
    
      #add_header X-Content-Type-Options "nosniff" always;
    
      #spdy_headers_comp 5;
    
      ssl_buffer_size 1369;
    
      ssl_session_tickets on;
    
    
      # enable ocsp stapling
    
      resolver 8.8.8.8 8.8.4.4 valid=10m;
    
      resolver_timeout 10s;
    
      ssl_stapling on;
    
      ssl_stapling_verify on;
    
    
    # ngx_pagespeed & ngx_pagespeed handler
    
    #include /usr/local/nginx/conf/pagespeed.conf;
    
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    
      # limit_conn limit_per_ip 16;
    
      # ssi  on;
    
    
      access_log /home/nginx/domains/thatdomain.com/log/access.log combined buffer=256k flush=5m;
    
      error_log /home/nginx/domains/thatdomain.com/log/error.log;
    
    
      include /usr/local/nginx/conf/autoprotect/thatdomain.com/autoprotect-thatdomain.com.conf;
    
      root /home/nginx/domains/thatdomain.com/public;
    
      # uncomment cloudflare.conf include if using cloudflare for
    
      # server and/or vhost site
    
      include /usr/local/nginx/conf/cloudflare.conf;
    
      include /usr/local/nginx/conf/503include-main.conf;
    
    
      location / {
    
      try_files $uri $uri/ /index.php?$uri&$args;
    
      index index.php index.html;
    
    
      # return 302 https://thatdomain.com/pages/home/;
    
    
      include /usr/local/nginx/conf/503include-only.conf;
    
    
    # block common exploits, sql injections etc
    
    #include /usr/local/nginx/conf/block.conf;
    
    
      # Enables directory listings when index file not found
    
      #autoindex  on;
    
    
      # Shows file listing times as local time
    
      #autoindex_localtime on;
    
    
      # Wordpress Permalinks example
    
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
    
      }
    
    location /install/data/ {
    
            internal;
    
    }
    
    location /install/templates/ {
    
            internal;
    
    }
    
    location /internal_data/ {
    
            internal;
    
    }
    
    location /library/ {
    
            internal;
    
            allow 127.0.0.1;
    
        deny all;
    
    }
    
    location /src/ {
    
            internal;
    
            allow 127.0.0.1;
    
        deny all;
    
    }
    
    
    location ~ \.php$ {
    
            try_files $uri =404;
    
            fastcgi_pass    127.0.0.1:9000;
    
            fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    
            include         fastcgi_params;
    
    }
    
    
      include /usr/local/nginx/conf/pre-staticfiles-local-thatdomain.com.conf;
    
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
    
      include /usr/local/nginx/conf/staticfiles.conf;
    
      include /usr/local/nginx/conf/php.conf;
    
    
      include /usr/local/nginx/conf/drop.conf;
    
      #include /usr/local/nginx/conf/errorpage.conf;
    
      include /usr/local/nginx/conf/vts_server.conf;
    
    }
    
    
     
  10. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    looks ok now

    reason @noly and I would suspect the vhost is in 1st post you had this error line with duplicate /src location but your vhost now doesn't have duplicate /src/ so you or someone managing your server removed the duplicate location context
    Code (Text):
    Dec 22 08:06:20 server.mydomain.com nginx[4613]: Starting nginx: nginx: [emerg] duplicate location "/src/" in /usr/local/nginx/conf/conf.d/thatdomain.com.ssl.conf:92
    
     
    • Like Like x 1
  11. Umit

    Umit New Member

    20
    3
    3
    Nov 15, 2016
    Ratings:
    +3
    Local Time:
    5:20 PM
    yup, i didnt, seems like the guy who manages my server did.
    what can cause to make that file duplicate?
     
  12. Umit

    Umit New Member

    20
    3
    3
    Nov 15, 2016
    Ratings:
    +3
    Local Time:
    5:20 PM
    does "last" command gives me the ALL ip addresses that logged in as root?
    is there any backdoor method to login as root that "last" command cant see?
     
  13. eva2000

    eva2000 Administrator Staff Member

    31,638
    7,029
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,634
    Local Time:
    1:20 AM
    Nginx 1.13.x
    MariaDB 5.5
    easiest explanation would be bad copying and pasting of vhost contents
    see last(1): of last logged in users - Linux man page
    so manipulation of /var/log/btmp and /var/log/wtmp files is possible though these are binary logs so so standard text editing isn't easy - see Modify a line in wtmp – Linux Accounting. I probably should add these log files to optional tools/auditd.sh custom rule set which can track modifications of the files.

    edit: just updated centmin mod 123.09beta01 code for tools/auditd.sh to add tracking for the 2 log files including the utmpdump binary i.e.
    Code (Text):
    cd /usr/local/src/centminmod
    git pull
    tools/auditd.sh setup
    

    output
    Code (Text):
    tools/auditd.sh setup
    enabled 1
    failure 1
    pid 16673
    rate_limit 200
    backlog_limit 8192
    lost 8
    backlog 0
    loginuid_immutable 0 unlocked
    
    /root/centminlogs/auditd_rulesd_output_221217-174659.log created
    /root/centminlogs/auditctl_rules_221217-174659.log created
    
    auditd installed and configured
    

    list auditd custom rules setup for the log files and binary which uses key = sessiontmp
    Code (Text):
    auditctl -l
    -w /var/log/wtmp -p rwxa -k sessiontmp
    -w /var/log/btmp -p rwxa -k sessiontmp
    -w /usr/bin/utmpdump -p rwxa -k sessiontmp
    

    full list
    Code (Text):
    auditctl -l
    -w /var/log/wtmp -p rwxa -k sessiontmp
    -w /var/log/btmp -p rwxa -k sessiontmp
    -w /usr/bin/utmpdump -p rwxa -k sessiontmp
    -w /etc/audit -p wa -k auditconfig
    -w /etc/libaudit.conf -p wa -k auditconfig
    -w /etc/audisp -p wa -k audispconfig
    -w /sbin/auditctl -p x -k audittools
    -w /sbin/auditd -p x -k audittools
    -w /etc/ssh/sshd_config -p rwxa -k sshd
    -w /etc/passwd -p wa -k passwd_changes
    -w /var/log/faillog -p wa -k logins_faillog
    -w /var/log/lastlog -p wa -k logins_lastlog
    -w /usr/bin/passwd -p x -k passwd_modification
    -w /etc/group -p wa -k group_changes
    -w /bin/su -p x -k priv_esc
    -w /usr/bin/sudo -p x -k priv_esc
    -w /usr/bin/ssh -p x -k ssh-execute
    -w /etc/sudoers -p rw -k priv_esc
    -w /sbin/shutdown -p x -k power
    -w /sbin/poweroff -p x -k power
    -w /sbin/reboot -p x -k power
    -w /sbin/halt -p x -k power
    -w /usr/sbin/groupadd -p x -k group_modification
    -w /usr/sbin/groupmod -p x -k group_modification
    -w /usr/sbin/addgroup -p x -k group_modification
    -w /usr/sbin/useradd -p x -k user_modification
    -w /usr/sbin/usermod -p x -k user_modification
    -w /usr/sbin/adduser -p x -k user_modification
    -w /etc/hosts -p wa -k hosts
    -w /etc/network -p wa -k network
    -w /etc/sysctl.conf -p wa -k sysctl
    -w /etc/cron.allow -p wa -k cron-allow
    -w /etc/cron.deny -p wa -k cron-deny
    -w /etc/cron.d -p wa -k cron.d
    -w /etc/cron.daily -p wa -k cron-daily
    -w /etc/cron.hourly -p wa -k cron-hourly
    -w /etc/cron.monthly -p wa -k cron-monthly
    -w /etc/cron.weekly -p wa -k cron-weekly
    -w /etc/crontab -p wa -k crontab
    -w /var/spool/cron/root -p rwxa -k crontab_root
    -a always,exit -F arch=b32 -S link,symlink -F key=symlinked
    -a always,exit -F arch=b64 -S link,symlink -F key=symlinked
    -a always,exit -F arch=b32 -S sethostname -F key=hostname
    -a always,exit -F arch=b32 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b32 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S sethostname -F key=hostname
    -a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileacess
    -a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileacess
    -w /usr/local/nginx/conf -p wa -k nginxconf_changes
    -w /usr/local/nginx/conf/phpstatus.conf -p wa -k phpstatusconf_changes
    -w /usr/local/etc/php-fpm.conf -p wa -k phpfpmconf_changes
    -w /usr/local/lib/php.ini -p wa -k phpini_changes
    -w /etc/my.cnf -p wa -k mycnf_changes
    -w /root/.my.cnf -p wa -k mycnfdot_changes
    -w /etc/csf/csf.conf -p wa -k csfconf_changes
    -w /etc/csf/csf.blocklists -p wa -k csfpignore_changes
    -w /etc/csf/csf.pignore -p wa -k csfpignore_changes
    -w /etc/csf/csf.fignore -p wa -k csffignore_changes
    -w /etc/csf/csf.signore -p wa -k csfsignore_changes
    -w /etc/csf/csf.rignore -p wa -k csfrignore_changes
    -w /etc/csf/csf.mignore -p wa -k csfmignore_changes
    -w /etc/csf/csf.ignore -p wa -k csfignore_changes
    -w /etc/csf/csf.dyndns -p wa -k csfdyndns_changes
    -w /etc/centminmod/php.d -p wa -k phpconfigscandir_changes
    -w /etc/centminmod/custom_config.inc -p wa -k cmm_persistentconfig_changes
    -w /usr/local/src/centminmod -p wa -k centminmod_installdir
    -w /etc/pure-ftpd/pure-ftpd.conf -p wa -k pureftpd_changes
    -w /etc/init.d/memcached -p wa -k memcachedinitd_changes
    -a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F dir=/home/nginx/domains/testdomain.com/log -F success=0 -F key=testdomain.com_logdeletion
    -a always,exit -F arch=b32 -S rename,renameat -F dir=/home/nginx/domains/testdomain.com/log -F success=0 -F key=testdomain.com_logrename
    -a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F dir=/home/nginx/domains/testdomain.com/log -F success=0 -F key=testdomain.com_logdeletion
    -a always,exit -F arch=b64 -S rename,renameat -F dir=/home/nginx/domains/testdomain.com/log -F success=0 -F key=testdomain.com_logrename
    

    To test it out, i exited/logged out of ssh session at 17:52 and then search auditd log for key = sessiontmp for timestamp 17:52
    list successful login attemps filtered for 17:52
    Code (Text):
    aureport -au -i --success | grep 17:52
    52. 12/22/2017 17:52:29 root 111.222.333.444 ssh /usr/sbin/sshd yes 55690
    53. 12/22/2017 17:52:29 root 111.222.333.444 ssh /usr/sbin/sshd yes 55693
    

    check both auditd id 55690 and 55693
    Code (Text):
    ausearch -a 55690
    ----
    time->Fri Dec 22 17:52:29 2017
    type=USER_AUTH msg=audit(1513965149.470:55690): pid=17078 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/sbin/sshd" hostname=111.222.333.444 addr=111.222.333.444 terminal=ssh res=success'
    

    Code (Text):
    ausearch -a 55693
    ----
    time->Fri Dec 22 17:52:29 2017
    type=USER_AUTH msg=audit(1513965149.471:55693): pid=17078 uid=0 auid=4294967295 ses=4294967295 msg='op=success acct="root" exe="/usr/sbin/sshd" hostname=? addr=111.222.333.444 terminal=ssh res=success'
    

    Code (Text):
    last | head -n1
    root     pts/0        111.222.333.444    Fri Dec 22 17:52   still logged in
    

    Code (Text):
    ausearch -ts 17:52 -k sessiontmp
    ----
    time->Fri Dec 22 17:52:25 2017
    type=PROCTITLE msg=audit(1513965145.987:55677): proctitle=737368643A20726F6F74407074732F30
    type=PATH msg=audit(1513965145.987:55677): item=0 name="/var/log/wtmp" inode=9175090 dev=09:02 mode=0100664 ouid=0 ogid=22 rdev=00:00 objtype=NORMAL
    type=CWD msg=audit(1513965145.987:55677):  cwd="/"
    type=SYSCALL msg=audit(1513965145.987:55677): arch=c000003e syscall=2 success=yes exit=8 a0=7f1cf15097b1 a1=1 a2=f156d a3=7ffcce1f1860 items=1 ppid=1078 pid=15347 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5844 comm="sshd" exe="/usr/sbin/sshd" key="sessiontmp"
    ----
    time->Fri Dec 22 17:52:29 2017
    type=PROCTITLE msg=audit(1513965149.472:55696): proctitle=737368643A20726F6F74205B707269765D
    type=PATH msg=audit(1513965149.472:55696): item=0 name="/var/log/btmp" inode=9175083 dev=09:02 mode=0100600 ouid=0 ogid=22 rdev=00:00 objtype=NORMAL
    type=CWD msg=audit(1513965149.472:55696):  cwd="/"
    type=SYSCALL msg=audit(1513965149.472:55696): arch=c000003e syscall=2 success=yes exit=5 a0=7f846d4403ba a1=0 a2=4 a3=7ffe1d0141e0 items=1 ppid=1078 pid=17078 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5873 comm="sshd" exe="/usr/sbin/sshd" key="sessiontmp"
    ----
    time->Fri Dec 22 17:52:30 2017
    type=PROCTITLE msg=audit(1513965150.725:55701): proctitle=737368643A20726F6F74407074732F30
    type=PATH msg=audit(1513965150.725:55701): item=0 name="/var/log/wtmp" inode=9175090 dev=09:02 mode=0100664 ouid=0 ogid=22 rdev=00:00 objtype=NORMAL
    type=CWD msg=audit(1513965150.725:55701):  cwd="/"
    type=SYSCALL msg=audit(1513965150.725:55701): arch=c000003e syscall=2 success=yes exit=4 a0=7f84749837b1 a1=1 a2=7ffe1d013070 a3=7ffe1d012aa0 items=1 ppid=17078 pid=17080 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5873 comm="sshd" exe="/usr/sbin/sshd" key="sessiontmp"
    

    syscall=2 is opening file
    Code (Text):
    ausyscall --dump | grep -w ^2
    2       open
    
     
    • Like Like x 1