How to Identify Which Process is Modifying /etc/hosts in Real-Time on Linux


2 views

When troubleshooting system configurations, identifying which process modifies critical files like /etc/hosts can be crucial. Traditional tools like lsof have limitations because they only show currently open file handles, not transient write operations.

The most robust approach uses Linux's built-in audit subsystem:

# Install auditd if not present
sudo apt install auditd

# Add a watch rule for /etc/hosts
sudo auditctl -w /etc/hosts -p wa -k hosts_file_change

# Monitor events in real-time
sudo ausearch -k hosts_file_change | sudo aureport -f -i

Key parameters:

  • -w: Watch path
  • -p wa: Monitor write and attribute changes
  • -k: Assign a searchable key

For systems without auditd, inotifywait can help catch file modifications:

sudo apt install inotify-tools
inotifywait -m /etc/hosts -e modify |
while read path action file; do
  lsof /etc/hosts | grep -v "COMMAND"
done

For advanced debugging, kernel function tracing can reveal the complete call stack:

echo 1 | sudo tee /sys/kernel/debug/tracing/events/filemap/enable
sudo cat /sys/kernel/debug/tracing/trace_pipe | grep '/etc/hosts'

When I recently discovered unauthorized /etc/hosts changes, auditd revealed:

type=SYSCALL msg=audit(1634567890.123:456): arch=c000003e syscall=2 success=yes exit=3 a0=7ffd1234 a1=241 a2=1b6
items=1 ppid=1234 pid=5678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="malware.sh" exe="/bin/bash" key="hosts_file_change"

# Make audit rules persistent
sudo sh -c 'echo "-w /etc/hosts -p wa -k hosts_file_change" >> /etc/audit/rules.d/hosts.rules'
sudo service auditd restart

For high-traffic systems, filter events precisely to avoid overhead:

sudo auditctl -a exit,always -F arch=b64 -S openat -F path=/etc/hosts -F perm=w

When troubleshooting system configurations, we often need to identify which process is modifying critical files like /etc/hosts. Traditional tools like lsof show currently open file handles but miss transient operations where processes quickly open-write-close files.

1. Using inotifywait for Immediate Detection

The inotify-tools package provides a powerful way to monitor file system events:

sudo apt install inotify-tools  # Debian/Ubuntu
sudo yum install inotify-tools  # RHEL/CentOS

# Basic monitoring command:
inotifywait -m -e modify /etc/hosts

For process identification, combine with auditctl:

sudo auditctl -w /etc/hosts -p wa -k hosts_file_change

2. Advanced Auditd Configuration

Create a dedicated audit rule for persistent monitoring:

echo "-w /etc/hosts -p wa -k hosts_file_change" | sudo tee -a /etc/audit/rules.d/hosts.rules
sudo auditctl -R /etc/audit/rules.d/hosts.rules

View logs with:

sudo ausearch -k hosts_file_change | aureport -f -i

3. SystemTap for Deep Inspection

For complex environments, SystemTap provides kernel-level tracing:

sudo stap -e 'probe syscall.open, syscall.openat {
    if (filename == "/etc/hosts") {
        printf("%s[%d] opened %s\n", execname(), pid(), filename)
    }
}'

When suspecting unauthorized changes, run:

sudo inotifywait -m -e modify -e attrib /etc/hosts --format "%w%f %e %T" --timefmt "%H:%M:%S" | while read line; do
    echo "Change detected at $(date): $line"
    ps aux | grep "$(lsof -t /etc/hosts)"
done
  • fatrace: File activity monitor showing process names
  • opensnoop: From bcc-tools for real-time open syscall tracking
  • strace: Trace specific process system calls