Why does Crond change ownership of config.php? audit log included

Replies: 0

Hello

config.php keeps changing ownership to root, preventing the firewall working So i setup an audit, and it seems periodically config.php is deleted and a new version created with crond with the owner set as root, ive included the log below and highlighted the relevant parts. Any idea how to properly resolve this? Many Thanks.

type=PATH msg=audit(1485399901.940:35852): item=2 name=”/var/www/html/wp-content/wflogs/config.tmp.tUtCnA” inode=1033038 dev=fd:01 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:httpd_sys_rw_content_t:s0 objtype=DELETE

type=PATH msg=audit(1485399901.940:35852): item=3 name=”/var/www/html/wp-content/wflogs/config.php” inode=1033068 dev=fd:01 mode=0100660 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_sys_rw_content_t:s0 objtype=DELETE

Triggered to record file name path information.
type=PATH msg=audit(1485399901.940:35852): item=4 name=”/var/www/html/wp-content/wflogs/config.php” inode=1033038 dev=fd:01 mode=0100660 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:httpd_sys_rw_content_t:s0 objtype=CREATE

Triggered when a user disposes of user-space credentials.
type=CRED_DISP msg=audit(1485399901.945:35853): pid=32752 uid=0 auid=0 ses=4155 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:setcred grantors=pam_env,pam_unix acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’

Triggered when a user-space session is terminated.
type=USER_END msg=audit(1485399901.946:35854): pid=32752 uid=0 auid=0 ses=4155 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg=’op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct=”root” exe=”/usr/sbin/crond” hostname=? addr=? terminal=cron res=success’

type=SYSCALL msg=audit(1485399938.097:35855): arch=c000003e syscall=90 success=no exit=-1 a0=7fd69fdb1498 a1=1b0 a2=7fd69a4e0640 a3=7fd69a4b7640 items=1 ppid=26266 pid=30830 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=”httpd” exe=”/usr/sbin/httpd” subj=system_u:system_r:httpd_t:s0 key=”configphp-changed”