Anyone know how to see what pid/process has modified a linux routing table (specifically on Ubuntu )? I have an interesting problem where a route that I have created has been deleted over time, but can’t figure out what. I’ve tried rtmon but seems to only show timestamps of the adds/deletes
The better solution:
sudo apt-get install auditd
Set up watch:
sudo auditctl -w /path/to/your/file -p wa -k file_change_monitor
Check log:
sudo ausearch -k file_change_monitor
Alternative solution:
If you know the file that is being edited you can set up watches with
inotifywait
and log it to a file. This may possibly not work because lsof might not be quick enough.sudo apt-get install inotify-tools
then put this script in autostart
#!/bin/bash FILE_TO_MONITOR="/path/to/your/file" LOG_FILE="/path/to/logfile.txt" inotifywait -m -e modify,move,create,delete --format '%w %e %T' --timefmt '%Y-%m-%d %H:%M:%S' "$FILE_TO_MONITOR" | while read path action time; do # Get the PID of the process that last modified the file PID=$(lsof -t "$FILE_TO_MONITOR" 2>/dev/null) # Get the process name using the PID PROCESS_NAME=$(ps -p $PID -o comm= 2>/dev/null) # Log details to the file echo "$time: File $path was $action by PID $PID ($PROCESS_NAME)" >> "$LOG_FILE" done
Don’t forget to modify the values at the top of the script and make it executable.