[jbosstools-issues] [JBoss JIRA] (JBDS-4443) All data deleted from wonka server

Lukáš Valach (JIRA) issues at jboss.org
Mon Jun 12 11:33:01 EDT 2017 

    [ https://issues.jboss.org/browse/JBDS-4443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13419715#comment-13419715 ] 

Lukáš Valach commented on JBDS-4443:
------------------------------------

My idea is to setup monitoring on wonka server. If there is selinux enabled, the auditing could be setup to log all write acces to some file. This way, we can find which user deleted the file and from which IP they was connected.

{code}
sudo auditctl -w /tmp/compositeArtifacts.xml -p w -k whodeletedit

touch /tmp/compositeArtifacts.xml

cat -v /var/log/audit/audit.log | grep whodeletedit

# Output:
# type=CONFIG_CHANGE msg=audit(1497250106.146:799): auid=1001 ses=6 op=updated_rules path="/tmp/compositeArtifacts.xml" key="whodeletedit" list=4 res=1

# Then we can get user name from "auid":
getent passwd 1001

# Output:
# testuser1001:1001::/home/testuser:/bin/bash

# The "msg=audit" contains a date in milisecond, we can convert it to readable form
date -d @1497250106.146

# Output:
# Mon 12 Jun 08:48:26 CEST 2017

# Then we can find IP address from which users was connected using this command
journalctl _COMM=sshd | grep testuser

# Output:
# Jun 12 08:42:55 dhcp-10-40-5-149.brq.redhat.com sshd[29048]: Accepted password for testuser from 127.0.0.1 port 54722 ssh2
{code}

> All data deleted from wonka server
> ----------------------------------
>
>                 Key: JBDS-4443
>                 URL: https://issues.jboss.org/browse/JBDS-4443
>             Project: Red Hat JBoss Developer Studio (devstudio)
>          Issue Type: Bug
>          Components: build
>    Affects Versions: 11.0.0.AM1
>            Reporter: Lukáš Valach
>            Assignee: Nick Boldt
>             Fix For: 11.0.0.AM1
>
>
> All the builds from wonka server \[1\] was deleted about 2. Jun at 8 AM (Boston time).
> \[1\] http://wonka.mw.lab.eng.bos.redhat.com/rhd/devstudio/
> The devstudio folder \[1\] was empty, all the builds (snapshots, staging, targetplatforms) were deleted. It happened the day after AM1 was staged. Since that time nothing was deleted. 
> We met similar problem on qa.jboss.com on 2017-4-20, see \[2\]. 
>  \[2\] https://redhat.service-now.com/pnt?id=ticket&sys_id=90fcf53c13967240daa77b304244b019&table=x_redha_pnt_devops_table
> The devstudio.redhat.com never been affected.
> We need to know who/what deleted the builds and ensure that it won't happen again. We also need to get Brno mirror  \[3\]  back to service.
> \[3\] http://download.englab.brq.redhat.com/pub/rhel/jbossqa/services/http/binaries/RHDS/



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jbosstools-issues mailing list