On 03/10/2025 18:25, Greg Wooledge wrote:
On Fri 03 Oct 2025 at 02:59:47 (-0400), Avinash Sonawane wrote:Over the coming weekend I'm planning to install Debian again. This time I'll be using debian-13.1.0-amd64-DVD-1.iso. What can I do to catch the culprit in/after the action?
[...]
Another thing that one might try here would be to do only the Standard installation (no Desktop Environment), then reboot into the system normally, then set up your inotify traps or whatever, and then "finish" the installation by running tasksel and choosing your Desktop Environment.
Another approach is to get list of suspicious packages from dpkg.log in the current system (ones that was configured during the same second as /.cache was created) and to install them one by one to minimal system originally installed without any DE.
Unfortunately, this is where my knowledge begins to fall short. I can't see anything in inotifywait(1) or inotify(7) that gives you the *process*
You may log process tree (ps xauwf) when the directory is created or to send SIGSTOP to the apt process group. Even if it will happen during processing next package, it narrows down the list to just a few packages.
Auditd may be a better tool though.