41

I'm trying to find a reliable way of finding which process on my machine is changing a configuration file (/etc/hosts to be specific).

I know I can use lsof /etc/hosts to find out what processes currently have the file open, but this doesn't help because the process is obviously opening the file, writing to it, and then closing it again.

I also looked at lsof's repeat option (-r), but it seems to only go as fast as once a second, which probably won't ever capture the write in progress.

I know of a couple tools for monitoring changes to the filesystem, but in this case I want to know which process is responsible, which means catching it in the act.

robbles
  • 513
  • 1
  • 4
  • 5

4 Answers4

61

You can use auditing to find this. If not already available, install and enable auditing for your distro.

set an audit watch on /etc/hosts

/sbin/auditctl -w /etc/hosts -p war -k hosts-file

-w watch /etc/hosts
-p warx watch for write, attribute change, execute or read events
-k hosts-file is a search key.

Wait till the hosts file changes and then use ausearch to seer what is logged 

/sbin/ausearch -f /etc/hosts | more

You'll get masses of output e.g.

> time->Wed Oct 12 09:34:07 2011 type=PATH
> msg=audit(1318408447.180:870): item=0 name="/etc/hosts" inode=2211062
> dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:etc_t:s0 type=CWD msg=audit(1318408447.180:870):
> cwd="/home/iain" type=SYSCALL msg=audit(1318408447.180:870):
> arch=c000003e syscall=2 success=yes exit=0 a0=7fff73641c4f a1=941
> a2=1b6 a3=3e7075310c items=1 **ppid=7259**  **pid=7294** au id=1001 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=123 
> comm="touch" **exe="/bin/touch"** subj=user_u:system_r:unconfined_t:s0
> key="hosts-file"

In this case I used the touch command to change the files timstamp it's pid was 7294 and it's ppid was 7259 (my shell).

gm3dmo
  • 9,632
  • 1
  • 40
  • 35
user9517
  • 114,104
  • 20
  • 206
  • 289
  • 3
    The "enable auditing for your distro" should probably be expanded a bit. Annoyingly, the commands above gave me neither errors nor results. "/sbin/auditctl -e 1" also didn't help. Running an audit deamon to do the logging did help - "/etc/init.d/auditd start" (though it deleted my rules, so I had to enter them again). – tobixen Jul 23 '12 at 10:19
  • Didn't work for me, `ausearch` always returns `` – m0skit0 Nov 12 '15 at 10:59
  • 1
    sometimes you may need to set multiple audits to get the actual process which initiated the modification if that process is for example calling an external command to do the work for it. ie I was trying to find out why a user crontab entry was constantly being reset. crontab command was responsible was but by the time I checked the ppid it had exited, so I had to audit /usr/bin/crontab as well, then match the timestamp of the access to the crontab to the audited execute of crontab and then check it's ppid... which revealed an orchestration daemon was enforcing a specific user cron config. – Wil Dec 08 '18 at 06:47
  • 2
    "You'll get masses of output" - `ausearch --format text` is a **much** more friendlier output. see also `--format csv` for easier parsing with scripts – Costin Gușă Jul 01 '21 at 18:57
1

After a lot of search, I found the solution, just use this command: sudo fs_usage | grep [path_to_file]

treblam
  • 19
  • 2
0

You can also use inotify-tools:

  inotifywait -mq -e open -e modify /etc/hosts
Dragos
  • 349
  • 1
  • 2
  • 11
  • 20
    Auditd is able to give you the information you want. Even though it's easy to make the assumption that inotify will let you do this - it won't, since it will not give you the process id that made the modification. – objectified Oct 12 '11 at 08:31
-1

probably better to use something like incron then

http://inotify.aiken.cz/?section=incron&page=about&lang=en

you can then get it to trigger a script to so some sort of diags

krad
  • 158
  • 4