On Wednesday 25 October 2017 09:19:04 Roberto C. Sánchez wrote: > On Tue, Oct 24, 2017 at 11:49:21AM -0500, David Wright wrote: > > Perhaps you could watch the file with inotifywait, and capture > > a ps and maybe even a lsof listing at that moment. > > I have both inotify-hookable and incrond watching the file and the > output of `lsof /etc/resolv.conf` and `ps -ef` triggered by both of > those for any access if resolv.conf (whether read or write) does not > show anything related to resolv.conf at all, except for the incron and > inotify-hookable processes watching the file. > > Regards, > > -Roberto
And I have a thought. The immutable bit may be hiding the attempted access from inotifywait because it may be set to only report success at changing the file. I am not familiar with inotify-hookable. But inotifywait has several options so I'd study the man page to see if a different one may be more suitable to catch this perp. I use it here to tell kmail about incoming mail by triggering on the closing of the /var/spool/mail/name file(s) after procmail has delivered it. It has worked well for that for at least a decade now. But thats not germane to this, only that I am familiar with it to that extent. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>
