1

Some files on a Debian 9 server periodically overwritten to the original status after I modified it. I couldn't find what process/program is doing that job. Nothing is defined on crontab. Posibilly from a remote server (i.e. Ansible/Puppet) but I cound't find evidence.

I tried to use lsof and fuser but no process is using these files.

My question is how to setup a monitor to monitor these files and find out what process changed their contents.

mYnDstrEAm
  • 4,275
  • 14
  • 57
  • 118
NeilWang
  • 272
  • You may find solutions there: https://unix.stackexchange.com/questions/92013/monitoring-file-changes-process-access-to-files?rq=1 – roneo.org Jan 08 '21 at 08:41
  • 1
    I read that thread before. However, inotify won't tell you which process has modified the file. Strace only tracks a running program which not in my case. – NeilWang Jan 10 '21 at 09:37

1 Answers1

0

Good question! Intrusion Detection Systems are used for things like this or at least they could be so maybe one of those (aide, tripwire, ...) already has such capability or one could ask about it there.

If you know the files being modified beforehand (or a list of files which are important to remain unmodified and the times and usernames that show that you modified them yourself) you could use something suggested here.

If you'd like to use auditd here you can find a guide to do so.

mYnDstrEAm
  • 4,275
  • 14
  • 57
  • 118