Auditing specific route table operations

iproute2 route

Does Linux have a way to audit operations run against a specific route table?

I have the following config in my custom route table:

default dev tun0 scope link
192.168.100.0/28 dev eth0 scope link

for an unknown reason some processes remove the default entry. I would like to find out the guilty.

Is there a way to audit operations run against a route table?


Solution 1:

On Linux, if rtmon -ts was running when the change was made, that can tell you when and what, but not who. I doubt who is easy to get.

While you could go through login history and config file backups to try and piece together who, seems more useful to get a better change control procedure for the future.

Tell everyone that could have changed this how they overwrote your config. Get desired configuration into whatever automation tool you use. Log privilaged access. Personally, I would want to be accountable with a personal login, and have an answer for what I was doing in a sudo -u root -i session.

FYI, "Linux" is not specific enough. A wide variety of network management scripts and routing protocols for Linux exist, supporting every use case from servers (ifcfg scripts, systemd-networkd) to routers (VyOS, DANOS, OpenWRT) to desktops (NetworkManager via dbus).

Related

Google Cloud External IP Charges for Free Tier
Capacity Optimization / Deduplication Options for Primary Storage
Updated VirtIO SCSI driver on my Windows 2012 R2, and now only boots into recovery. How to recover?
What is the maximum supported size of a truecrypt file?
Free Web Based Server Log Viewer/Monitor [closed]
Is it possible to find a list of all DKIM keys for a domain?
Exchange 2013 Internal and External URLs with multiple servers and certificates
Why nfs transfer speed is slower than http?
Unable to create Home Directory for LDAP Login
gammu-smsd daemon not sending SMS messages
What difference does slash make in apache2.conf?
Simple NAT64 with Jool and Debian 11