<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Hi Michael,</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">I failed to find anything useful in the audit.log file as you recommended besides failed login attempts.</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Thought I'd share this as well<br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"> # ps auxw | grep snmp<br>snmp 24569 0.0 0.1 65068 8564 ? S 09:28 0:07 /usr/sbin/snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux mteTrigger mteTriggerConf -p /run/snmpd.pid<br>root 26031 0.0 0.0 12940 968 pts/0 S+ 12:03 0:00 grep --color=auto snmp<br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"># ps auxw | grep pdns<br>pdns 25624 0.1 0.1 1416756 16036 ? Ssl 11:11 0:03 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no<br>root 26036 0.0 0.0 12940 1084 pts/0 S+ 12:04 0:00 grep --color=auto pdns<br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"># netstat -nl<br>Active Internet connections (only servers)<br>Proto Recv-Q Send-Q Local Address Foreign Address State <br>tcp 0 0 <a href="http://10.157.4.178:53">10.157.4.178:53</a> 0.0.0.0:* LISTEN <br>tcp 0 0 <a href="http://41.210.187.101:53">41.210.187.101:53</a> 0.0.0.0:* LISTEN <br>tcp 0 0 <a href="http://127.0.0.1:53">127.0.0.1:53</a> 0.0.0.0:* LISTEN <br>tcp 0 0 <a href="http://0.0.0.0:22">0.0.0.0:22</a> 0.0.0.0:* LISTEN <br>tcp6 0 0 :::22 :::* LISTEN <br>udp 0 0 <a href="http://10.157.4.178:53">10.157.4.178:53</a> 0.0.0.0:* <br>udp 0 0 <a href="http://41.210.187.101:53">41.210.187.101:53</a> 0.0.0.0:* <br>udp 0 0 <a href="http://127.0.0.1:53">127.0.0.1:53</a> 0.0.0.0:* <br>udp 0 0 <a href="http://0.0.0.0:161">0.0.0.0:161</a> 0.0.0.0:* <br>udp6 0 0 ::1:161 :::* <br>Active UNIX domain sockets (only servers)<br>Proto RefCnt Flags Type State I-Node Path<br>unix 2 [ ACC ] STREAM LISTENING 664628 /run/user/1000/systemd/private<br>unix 2 [ ACC ] STREAM LISTENING 620630 /run/user/1001/systemd/private<br>unix 2 [ ACC ] SEQPACKET LISTENING 11972 /run/udev/control<br>unix 2 [ ACC ] STREAM LISTENING 14915 /run/uuidd/request<br>unix 2 [ ACC ] STREAM LISTENING 15150 /var/run/dbus/system_bus_socket<br>unix 2 [ ACC ] STREAM LISTENING 15047 /var/lib/lxd/unix.socket<br>unix 2 [ ACC ] STREAM LISTENING 15151 /run/snapd.socket<br>unix 2 [ ACC ] STREAM LISTENING 15152 /run/snapd-snap.socket<br>unix 2 [ ACC ] STREAM LISTENING 11885 /run/systemd/private<br>unix 2 [ ACC ] STREAM LISTENING 11967 /run/systemd/journal/stdout<br>unix 2 [ ACC ] STREAM LISTENING 11969 /run/lvm/lvmetad.socket<br>unix 2 [ ACC ] STREAM LISTENING 11970 /run/systemd/fsck.progress<br>unix 2 [ ACC ] STREAM LISTENING 10457 /run/lvm/lvmpolld.socket<br>unix 2 [ ACC ] STREAM LISTENING 18924 /var/run/fail2ban/fail2ban.sock<br>unix 2 [ ACC ] STREAM LISTENING 16697 @ISCSIADM_ABSTRACT_NAMESPACE<br>unix 2 [ ACC ] STREAM LISTENING 15070 /run/acpid.socket#<br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br clear="all"></div><div><div dir="ltr" data-smartmail="gmail_signature"><div dir="ltr"><div><span style="font-family:trebuchet ms,sans-serif">Regards,<br></span></div><div><span style="font-family:trebuchet ms,sans-serif">Sharone B.</span><br></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 7 Jan 2020 at 22:02, Michael Ströder <<a href="mailto:michael@stroeder.com" target="_blank">michael@stroeder.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 1/7/20 3:00 PM, Sharone Bakara wrote:<br>
> On 7 Jan 2020, at 16:55, Remi Gacogne <<a href="mailto:remi.gacogne@powerdns.com" target="_blank">remi.gacogne@powerdns.com</a>> wrote:<br>
>> On 1/7/20 2:41 PM, Sharone wrote:<br>
>>> '/var/run/pdns-recursor': Permission denied"*<br>
>> I'm not sure of what your SNMP setup is, but it looks like the user<br>
>> invoking rec_control does not have the rights to create a new file in<br>
>> /var/run/pdns-recursor. What happens if you invoke the rec_control<br>
>> command directly as the 'pdns' user?<br>
><br>
> I get the same error as when I run it root.<br>
<br>
Whenever "permissions denied" happens while running an action as root<br>
I'd check whether SELinux or AppArmor blocks some access.<br>
=> check your audit log (assuming you're running auditd)<br>
<br>
Ciao, Michael.<br>
</blockquote></div>