Re: /etc/resolv.conf being blanked
Hi.
On Sun, 11 Oct 2015 12:23:03 +0100
Dominic Hargreaves <dom@earth.li> wrote:
> On Sun, Oct 11, 2015 at 12:39:02PM +0200, tomas@tuxteam.de wrote:
> > On Sun, Oct 11, 2015 at 12:05:53PM +0100, Dominic Hargreaves wrote:
> > > [Please CC me on replies]
> > >
> > > Hi,
> > >
> > > On my freshly installed Debian jessie system, running XFCE and
> > > Network Manager, I'm seeing /etc/resolv.conf being blanked every so
> > > often (it seems to be about every 20 minutes). I can't see what is doing
> > > this; there's nothing in the system logs which correlates with this event.
> >
> > See my other post: the brutal (but effective) self-defense tool I used
> > (back then, when NM was yet allowed on my boxes ;-) was to "chattr +i"
> > the file. With some luck I'd find complaints in the log files which helped
> > clear up which program (and in which context) was trying to do something
> > to the files.
> >
> > The nice part of chattr is that it protects the direntry too (so the
> > obvious fall-back of removing and re-creating doesn't help).
>
> But I *want* NM to update the file, and I don't have any evidence that
> it's NM blanking it here. So preventing updates isn't what I want.
>
> Having said that, you're right that looking for complaints could be
> an effective debugging tool. I'll give that a go.
Setting immutable bit is a crude, but effective technique indeed. But
there's less destructive approach called auditd.
Install it, start it, invoke
auditctl -w /etc/resolv.conf -p wa
Watch the results in /var/log/audit.
To disable watching, invoke
auditctl -W /etc/resolv.conf
Reco
Reply to: