Re: Why does resolv.conf keep changing?
- Date: Wed, 25 Oct 2017 09:38:54 -0400
- From: Gene Heskett <gheskett@xxxxxxxxxxx>
- Subject: Re: Why does resolv.conf keep changing?
On Wednesday 25 October 2017 09:19:04 Roberto C. Sánchez wrote:
> On Tue, Oct 24, 2017 at 11:49:21AM -0500, David Wright wrote:
> > Perhaps you could watch the file with inotifywait, and capture
> > a ps and maybe even a lsof listing at that moment.
> I have both inotify-hookable and incrond watching the file and the
> output of `lsof /etc/resolv.conf` and `ps -ef` triggered by both of
> those for any access if resolv.conf (whether read or write) does not
> show anything related to resolv.conf at all, except for the incron and
> inotify-hookable processes watching the file.
And I have a thought. The immutable bit may be hiding the attempted
access from inotifywait because it may be set to only report success at
changing the file. I am not familiar with inotify-hookable. But
inotifywait has several options so I'd study the man page to see if a
different one may be more suitable to catch this perp. I use it here to
tell kmail about incoming mail by triggering on the closing of
the /var/spool/mail/name file(s) after procmail has delivered it. It
has worked well for that for at least a decade now.
But thats not germane to this, only that I am familiar with it to that
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>