[TriLUG] Modification of /etc/hosts
Jeff Schornick
jeff at schornick.org
Wed Feb 3 13:07:52 EST 2010
On Wed, Feb 3, 2010 at 10:24, Brian Weaver <cmdrclueless at gmail.com> wrote:
> So I'm trying to figure out what program is modifying my /etc/hosts
> file and I'm not having any luck.
I'm not familiar with CentOS, but if it's a modern distro with a 2.6
kernel, you can use the kernel's audit system:
# auditctl -w /tmp/myfile -p w
#auditctl -l
LIST_RULES: exit,always watch=/tmp/myfile perm=w
$ copy /tmp/otherfile /tmp/myfile
# type=SYSCALL msg=audit(1265220365.138:40): arch=c000003e syscall=2
success=yes exit=4 a0=7fffd55386c3 a1=201 a2=0 a3=7fffd5537490 items=1
ppid=14345 pid=15001 auid=4294967295 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5
ses=4294967295 comm="cp" exe="/bin/cp" key=(null)
type=CWD msg=audit(1265220365.138:40): cwd="/tmp"
type=PATH msg=audit(1265220365.138:40): item=0 name="/tmp/myfile"
inode=75723 dev=08:05 mode=0100644 ouid=1000 ogid=0 rdev=00:00
Though there are some operations which might not get caught/flagged by
that particular rule, there's a good chance it could shed some light.
- Jeff
More information about the TriLUG
mailing list