On Mon, Feb 27, 2023 at 03:14:40PM +0100, daven...@tuxfamily.org wrote: > I did > > - chattr +i /etc/revolv.conf > > And when auditd showed a (failed) delete event on /etc/resolv.conf > > I grepped "resolv.conf" recursively on /var/log/, and All I've found are > entries in > > - /var/log/installer from more than 1 year ago, since the log file is small, > I guess it has never been rotated > - audit.log, since write and append to "/etc/resolv.conf" are audited > - auth.log : authentication related to commands I've used this morning, > which are "auditctl -w /etc/resolv.conf -p wa" and "chattr +i > /etc/revolv.conf" > > But whatever process tried to delete "/etc/resolv.conf" whidle it was > immutable, didn't leave traces. > Not even a log for permission error because of the immutable flag. At least > not in /var/log anyway.
I can't say I'm shocked. But you *did* find an entry from auditd, which presumably has a timestamp. Check to see what was happening right at that moment in other log files. In particular, check whether a DHCP client daemon renewed its DHCP lease at that time.
