Usually I use inotfiy_add_watch to monitor deletion of files, it works for regular files or even most device files(/dev/zero,etc...), but fails for /dev/null. It seems that any operations to it will not trigger inotify events. Why? Is there any other way to monitor rm /dev/null? thx!
Asked
Active
Viewed 109 times
0
-
why would you do it? i mean after root/sudo can do that – djdomi Mar 12 '22 at 07:58
-
cause I am working on a shared server that many modules or program with root permission are running on and recently /dev/null was deleted a couple of times. I am trying to find out who did this. – Vchanger Mar 12 '22 at 08:14
-
2You should follow the principle of running programs with least required privileges.Your current setup seems way too fragile. – Tero Kilkanen Mar 12 '22 at 10:46
-
i am unsure if `chattr +i /dev/null` might work but you should remember that it may be a dangerous situation – djdomi Mar 12 '22 at 10:54
-
Basically, this question has already some solutions like questions [266717] or [899956] – djdomi Mar 12 '22 at 11:02
1 Answers
1
On Linux, inotify is limited in that it is file system specific. Documentation says that "various pseudo-filesystems such as /proc, /sys, and /dev/pts are not monitorable with inotify"
Linux audit system is capable of logging arbitrary system calls. An example file monitoring watch you might put in /etc/audit/rules.d/specialdev.rules could be:
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F path=/dev/null -k specialdev
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F path=/dev/null -k specialdev
Note the filtering to specific system calls that actually delete the file, not just write to it. Query recent entries with something like:
ausearch --start yesterday --end now --key specialdev
You can tell from these log entries when it happened, the process ID and comm, various flavors of uid, and selinux context. Good clues, but you still have to do a bit of looking for the broken shell script or whatever.
John Mahowald
- 32,050
- 2
- 19
- 34