Hello
On 2023-02-24 11:27, daven...@tuxfamily.org wrote:
On 2023-02-24 10:27, to...@tuxteam.de wrote:
On Fri, Feb 24, 2023 at 10:19:38AM +0100, daven...@tuxfamily.org
wrote:
[...]
BUT I will make sure to take some time to dig into the logs monday.
Now that I have an idea what I'm looking for, totally agree logs are
better than suspicion
I did
- chattr +i /etc/revolv.conf
And when auditd showed a (failed) delete event on /etc/resolv.conf
I grepped "resolv.conf" recursively on /var/log/, and All I've found are
entries in
- /var/log/installer from more than 1 year ago, since the log file is
small, I guess it has never been rotated
- audit.log, since write and append to "/etc/resolv.conf" are audited
- auth.log : authentication related to commands I've used this morning,
which are "auditctl -w /etc/resolv.conf -p wa" and "chattr +i
/etc/revolv.conf"
But whatever process tried to delete "/etc/resolv.conf" whidle it was
immutable, didn't leave traces.
Not even a log for permission error because of the immutable flag. At
least not in /var/log anyway.
