0

Does Linux have a way to audit operations run against a specific route table?

I have the following config in my custom route table:

default dev tun0 scope link
192.168.100.0/28 dev eth0 scope link

for an unknown reason some processes remove the default entry. I would like to find out the guilty.

Is there a way to audit operations run against a route table?

Mazzy
  • 227
  • 3
  • 11
  • You can find *when* it happens simply with `ip -ts monitor route`. As it's related to addresses too, `ip -ts monitor` should be preferable (but with more output) – A.B Aug 08 '21 at 00:56

1 Answers1

1

On Linux, if rtmon -ts was running when the change was made, that can tell you when and what, but not who. I doubt who is easy to get.

While you could go through login history and config file backups to try and piece together who, seems more useful to get a better change control procedure for the future.

Tell everyone that could have changed this how they overwrote your config. Get desired configuration into whatever automation tool you use. Log privilaged access. Personally, I would want to be accountable with a personal login, and have an answer for what I was doing in a sudo -u root -i session.

FYI, "Linux" is not specific enough. A wide variety of network management scripts and routing protocols for Linux exist, supporting every use case from servers (ifcfg scripts, systemd-networkd) to routers (VyOS, DANOS, OpenWRT) to desktops (NetworkManager via dbus).

John Mahowald
  • 32,050
  • 2
  • 19
  • 34