coursevector

Well-Known Member
Feb 23, 2015
102
8
18
cPanel Access Level
Root Administrator
I am trying to renew my Let's Encrypt certificate through WHM/cPanel. It wont' because of my CAA records. It reports this issue:

Code:
1:29:53 PM Verifying “Let’s Encrypt™”’s authorization on domains via DNS CAA records …
1:29:53 PM ERROR CA forbidden: “example.com”
So I got to the zone editor in cPanel, and look at the CAA records. I have:

Code:
example.com.    3600    IN    CAA    0    issue    comodoca.com
example.com.    3600    IN    CAA    0    issue    amazon.com
example.com.    3600    IN    CAA    0    issuewild    ;
example.com.    3600    IN    CAA    0    iodef    mailto:[email protected]
So I go, oh lemme add Lets Encrypt then. So I do that and it looks like this in the zone record now:

Code:
example.com.    3600    IN    CAA    0    issue    comodoca.com
example.com.    3600    IN    CAA    0    issue    amazon.com
example.com.    3600    IN    CAA    0    issuewild    ;
example.com.    3600    IN    CAA    0    iodef    mailto:[email protected]
example.com.    3600    IN    CAA    0    issue    letsencrypt.org
I run AutoSSL again and I get this:

Code:
3:54:53 PM Verifying “Let’s Encrypt™”’s authorization on domains via DNS CAA records …
3:54:53 PM ERROR CA forbidden: “example.com”
I go, that's strange, I just added it. I go back to the zone file, and lo-and-behold the record I just added is now gone. Like it never even happened. WHAT is going on? My certificate expired and cPanel won't let me renew it. Please help.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
You're doing this correctly, there must be something adding the record to the zone file or the change is not being retained for some reason.

Are you making the modification in cPanel's zone editor or through WHM? If you're doing it through cPanel could you try making the modification through WHM and let me know what the outcome is?

If the outcome is the same you might want to create an audit rule to see what's modifying the dns zone file for the domain, this isn't something that we add, my assumption is there's some script running that's adding this.
 

coursevector

Well-Known Member
Feb 23, 2015
102
8
18
cPanel Access Level
Root Administrator
@cPanelLauren

I was using the cPanel Zone Editor, so i tried the WHM DNS editor as you suggested. Same outcome, I can add the record and go back and verify it saved it. Then when I run Let's Encrypt from AutoSSL it says it's forbidden. I then go back and look and the record has been removed. I also checked the raw zone file to see if maybe it commented it out or something but nada.

I had never heard of an audit rule before so I had to look it up. This is what it logged:
Code:
# Add CAA record
type=CONFIG_CHANGE msg=audit(1581734154.486:32626): auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 op=add_rule key="example_dns_change" list=4 res=1
type=SYSCALL msg=audit(1581734255.007:32629): arch=c000003e syscall=2 success=yes exit=7 a0=1b01e50 a1=80042 a2=180 a3=2ac4c68b59d6 items=2 ppid=1608 pid=30250 auid=4294967295 uid=0gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=CONFIG_CHANGE msg=audit(1581734255.008:32630): auid=4294967295 ses=4294967295 op=updated_rules path="/var/named/example.com.db" key="example_dns_change" list=4 res=1
type=SYSCALL msg=audit(1581734255.008:32631): arch=c000003e syscall=82 success=yes exit=0 a0=1b0cda0 a1=1ace150 a2=2ac4c6c39b80 a3=3 items=5 ppid=1608 pid=30250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=SYSCALL msg=audit(1581734255.009:32632): arch=c000003e syscall=92 success=yes exit=0 a0=1b0e690 a1=19 a2=19 a3=7ffe1f9f1d20 items=1 ppid=1608 pid=30250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=SYSCALL msg=audit(1581734257.028:32633): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change"
type=SYSCALL msg=audit(1581734257.038:32634): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change"

# Run AutoSSL
type=SYSCALL msg=audit(1581734446.945:32695): arch=c000003e syscall=2 success=yes exit=7 a0=1b2cd60 a1=80042 a2=180 a3=2ac4c68b59d6 items=2 ppid=1608 pid=30738 auid=4294967295 uid=0gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=CONFIG_CHANGE msg=audit(1581734446.946:32696): auid=4294967295 ses=4294967295 op=updated_rules path="/var/named/example.com.db" key="example_dns_change" list=4 res=1
type=SYSCALL msg=audit(1581734446.946:32697): arch=c000003e syscall=82 success=yes exit=0 a0=1b31870 a1=1b29020 a2=2ac4c6c39b80 a3=3 items=5 ppid=1608 pid=30738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=SYSCALL msg=audit(1581734446.946:32698): arch=c000003e syscall=92 success=yes exit=0 a0=1b2ea70 a1=19 a2=19 a3=7ffe1f9f1d20 items=1 ppid=1608 pid=30738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=SYSCALL msg=audit(1581734448.964:32699): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change"
type=SYSCALL msg=audit(1581734448.970:32700): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change"
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,366
799
263
Houston
Hi @coursevector

Nice job creating the audit rule, sometimes I forget that it might not be something people use often and that's completely my fault, I apologize, I should have given you instructions.

I was hoping to see a modification by a service besides root or named unfortunately but this output just shows named making a change and root - which is standard when either of these actions is occurring. Was there output from after you made the modification until you ran autossl? What are the permissions of /var/named/example.com.db? Do you have a DNS cluster?
 

coursevector

Well-Known Member
Feb 23, 2015
102
8
18
cPanel Access Level
Root Administrator
@cPanelLauren
I couldn't find the original log anymore, i guess it cycled out so I re-ran the test. What I did before was set the "key" to a easy to find identifier and filtered to just show the records with that key. Below is a more verbose version based on the start of the first record and the end of the last record. But to answer your questions:

Permissions:
Code:
-rw-------.  1 named named 3.7K Feb 18 15:34 example.com.db
Code:
# stat example.com.db
  File: ‘example.com.db’
  Size: 3703            Blocks: 8          IO Block: 4096   regular file
Device: ca01h/51713d    Inode: 12809223    Links: 1
Access: (0600/-rw-------)  Uid: (   25/   named)   Gid: (   25/   named)
Context: system_u:object_r:named_zone_t:s0
Access: 2020-02-18 15:34:49.457145166 -0500
Modify: 2020-02-18 15:34:47.431159732 -0500
Change: 2020-02-18 15:34:47.431159732 -0500
 Birth: -
I am not running a DNS cluster.

Code:
type=SYSCALL msg=audit(1582058070.552:92870): arch=c000003e syscall=2 success=yes exit=7 a0=2b92190 a1=80042 a2=180 a3=2ad70e2479d6 items=2 ppid=1608 pid=19049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=CWD msg=audit(1582058070.552:92870):  cwd="/"
type=PATH msg=audit(1582058070.552:92870): item=0 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1582058070.552:92870): item=1 name="/var/named/example.com.db" inode=12602763 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1582058070.552:92870): proctitle=646E7361646D696E202D20534156455A4F4E45202D20444C45467533713168536C6D49495836594935576478664B46325133793065305F3135383230353830373020284C4F43414C29
type=CONFIG_CHANGE msg=audit(1582058070.554:92871): auid=4294967295 ses=4294967295 op=updated_rules path="/var/named/example.com.db" key="example_dns_change" list=4 res=1
type=SYSCALL msg=audit(1582058070.554:92872): arch=c000003e syscall=82 success=yes exit=0 a0=2b98a70 a1=2b8f4c0 a2=2ad70e5cbb80 a3=3 items=5 ppid=1608 pid=19049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=CWD msg=audit(1582058070.554:92872):  cwd="/"
type=PATH msg=audit(1582058070.554:92872): item=0 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1582058070.554:92872): item=1 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1582058070.554:92872): item=2 name="/var/named/example.com.db-25e658099a235-2a3ae543-16f8b" inode=12809226 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1582058070.554:92872): item=3 name="/var/named/example.com.db" inode=12602763 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1582058070.554:92872): item=4 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1582058070.554:92872): proctitle=646E7361646D696E202D20534156455A4F4E45202D20444C45467533713168536C6D49495836594935576478664B46325133793065305F3135383230353830373020284C4F43414C29
type=SYSCALL msg=audit(1582058070.555:92873): arch=c000003e syscall=92 success=yes exit=0 a0=2b921c0 a1=19 a2=19 a3=7ffc7c7282a0 items=1 ppid=1608 pid=19049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053415645 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=CWD msg=audit(1582058070.555:92873):  cwd="/"
type=PATH msg=audit(1582058070.555:92873): item=0 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1582058070.555:92873): proctitle=646E7361646D696E202D20534156455A4F4E45202D20444C45467533713168536C6D49495836594935576478664B46325133793065305F3135383230353830373020284C4F43414C29
type=SYSCALL msg=audit(1582058072.572:92874): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change"
type=CWD msg=audit(1582058072.572:92874):  cwd="/var/named"
type=PATH msg=audit(1582058072.572:92874): item=0 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1582058072.572:92874): proctitle=2F7573722F7362696E2F6E616D6564002D75006E616D6564002D63002F6574632F6E616D65642E636F6E66
type=SYSCALL msg=audit(1582058072.578:92875): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0001" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change"
type=CWD msg=audit(1582058072.578:92875):  cwd="/var/named"
type=PATH msg=audit(1582058072.578:92875): item=0 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1582058072.578:92875): proctitle=2F7573722F7362696E2F6E616D6564002D75006E616D6564002D63002F6574632F6E616D65642E636F6E66
type=SYSCALL msg=audit(1582058087.430:92876): arch=c000003e syscall=2 success=yes exit=7 a0=2bb7d70 a1=80042 a2=180 a3=2ad70e2479d6 items=2 ppid=1608 pid=19142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=CWD msg=audit(1582058087.430:92876):  cwd="/"
type=PATH msg=audit(1582058087.430:92876): item=0 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1582058087.430:92876): item=1 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1582058087.430:92876): proctitle=646E7361646D696E202D2053594E435A4F4E4553202D2058394E68764E414C5866394C4B4B35794C41486E6949377466515A596B4E4C305F3135383230353830383720284C4F43414C29
type=CONFIG_CHANGE msg=audit(1582058087.431:92877): auid=4294967295 ses=4294967295 op=updated_rules path="/var/named/example.com.db" key="example_dns_change" list=4 res=1
type=SYSCALL msg=audit(1582058087.431:92878): arch=c000003e syscall=82 success=yes exit=0 a0=2bbc890 a1=2bb3fa0 a2=2ad70e5cbb80 a3=3 items=5 ppid=1608 pid=19142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=CWD msg=audit(1582058087.431:92878):  cwd="/"
type=PATH msg=audit(1582058087.431:92878): item=0 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1582058087.431:92878): item=1 name="/var/named/" inode=12747081 dev=ca:01 mode=040755 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1582058087.431:92878): item=2 name="/var/named/example.com.db-25e658099a235-1d16c4c43-5e7f" inode=12809223 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1582058087.431:92878): item=3 name="/var/named/example.com.db" inode=12809226 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1582058087.431:92878): item=4 name="/var/named/example.com.db" inode=12809223 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1582058087.431:92878): proctitle=646E7361646D696E202D2053594E435A4F4E4553202D2058394E68764E414C5866394C4B4B35794C41486E6949377466515A596B4E4C305F3135383230353830383720284C4F43414C29
type=SYSCALL msg=audit(1582058087.431:92879): arch=c000003e syscall=92 success=yes exit=0 a0=2bb9a80 a1=19 a2=19 a3=7ffc7c7282a0 items=1 ppid=1608 pid=19142 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=646E7361646D696E202D2053594E43 exe="/usr/local/cpanel/whostmgr/bin/dnsadmin" subj=system_u:system_r:unconfined_service_t:s0 key="example_dns_change"
type=CWD msg=audit(1582058087.431:92879):  cwd="/"
type=PATH msg=audit(1582058087.431:92879): item=0 name="/var/named/example.com.db" inode=12809223 dev=ca:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1582058087.431:92879): proctitle=646E7361646D696E202D2053594E435A4F4E4553202D2058394E68764E414C5866394C4B4B35794C41486E6949377466515A596B4E4C305F3135383230353830383720284C4F43414C29
type=SYSCALL msg=audit(1582058089.457:92880): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865ec8 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change"
type=CWD msg=audit(1582058089.457:92880):  cwd="/var/named"
type=PATH msg=audit(1582058089.457:92880): item=0 name="/var/named/example.com.db" inode=12809223 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1582058089.457:92880): proctitle=2F7573722F7362696E2F6E616D6564002D75006E616D6564002D63002F6574632F6E616D65642E636F6E66
type=SYSCALL msg=audit(1582058089.465:92881): arch=c000003e syscall=2 success=yes exit=6 a0=7fbde9865400 a1=0 a2=1b6 a3=24 items=1 ppid=1 pid=1609 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="isc-worker0000" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key="example_dns_change"
type=CWD msg=audit(1582058089.465:92881):  cwd="/var/named"
type=PATH msg=audit(1582058089.465:92881): item=0 name="/var/named/example.com.db" inode=12809223 dev=ca:01 mode=0100600 ouid=25 ogid=25 rdev=00:00 obj=system_u:object_r:named_zone_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1582058089.465:92881): proctitle=2F7573722F7362696E2F6E616D6564002D75006E616D6564002D63002F6574632F6E616D65642E636F6E66