Latest update:
Summary of actions. This mixes a couple of terminals. Lines prefixed with "$" are run as a user, lines not prefixed were run as root (markdown throws a hissy if a line starts with a "#").
Reset the audit system, monitor file accesses to /var
then get the problematic css:
Repeat for wiki.home
Extract the audit trails. Also change ownership (not shown)
ausearch -k httpdtesttamar -ts 09:05 >audit.tamar
ausearch -k httpdtestwiki -ts 09:05 >audit.wiki
Let's see which files were accessed:
$ grep PATH audit.tamar >audit.tamar.PATH
$ grep PATH audit.wiki >audit.wiki.PATH
Thousands! Extract the file name and inode:
$ cut -f4,5 -d " " audit.tamar.PATH | sort -u >audit.tamar.PATH.uniq
$ cut -f4,5 -d " " audit.wiki.PATH | sort -u >audit.wiki.PATH.uniq
Same length - look for the differences ("star" is the wild card due to markdown formatting again):
$ diff <star>.uniq
$ ls -l css.php<star>
...
-rw-r--r--. 1 XXXXX XXXXX 218286 May 13 22:52 css.php.3
-rw-r--r--. 1 XXXXX XXXXX 256101 Jun 6 21:39 css.php.4
No difference in file accesses and yet the "wget"ed files
are different, and a different date! Version 3 is the working CSS file using tamar.home, version 4 is the other one. What is also confusing is that neither date (which wget should preserve) or length matches the found versions:
ls -l /var/www/html/dokuwiki/lib/exe/css.php /var/www/html/dokuwiki/lib/tpl/bootstrap3/css.php
-rw-r--r--. 1 apache apache 20489 May 1 2020 /var/www/html/dokuwiki/lib/exe/css.php
-rw-r--r--. 1 apache apache 5361 May 8 02:28 /var/www/html/dokuwiki/lib/tpl/bootstrap3/css.php
Oh, and as a last quick check:
grep css audit.tamar.PATH
type=PATH msg=audit(1624608393.011:8530): item=0 name="/var/www/html/dokuwiki/lib/exe/css.php" inode=2855099 dev=fd:00 mode=0100644 ouid=48 ogid=48 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
grep css audit.wiki.PATH
type=PATH msg=audit(1624608435.389:9933): item=0 name="/var/www/html/dokuwiki/lib/exe/css.php" inode=2855099 dev=fd:00 mode=0100644 ouid=48 ogid=48 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
Which doesn't include the bootstrap css.php! Am I looking in the wrong filesystem?