To get a very indepth understanding of what is happeing on our server we can use auditctl.
Definition:
auditctl - a utility to assist controlling the kernel's audit system
In this example, we are trying to determin what is being set in the directory permissions when WordPress adds a directory via wore function or plugins.
We will be running auditctl to craete an audit named test-perms
Breakdown of the command and it's flags
auditctl : runs the tool,
-w : follow this with a path to watch
-p : Describe the permission access type that a file system watch will trigger on "example rwx"
-k : Set a filter key on an audit rule. The filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. "just names the audit"
Generate an audit
auditctl -w /var/www/vhosts/interteledent.com/public_html -p rwx -k test-perms
to review the audit at anytime run this command:
-ausearch : review an audit
-k : select the key "name of the audit"
ausearch -k test-perms
Make this easier to read by piping it with less
ausearch -k test-perms | grep less
create additional audits with auditctl iif needed
review existing audits
auditctl -l
Delete audits when you are done
auditctl -D