/etc/passwd continually accessed

Solution 1:

As you are using CentOS, you should be able to find out what sudo is doing by looking in /var/log/secure e.g.

sudo tail /var/log/secure

Oct 4 03:45:44 ec2-centos-instance sudo: iain : TTY=pts/0 ; PWD=/home/iain ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure

Edit: Updating with answer from comments

Enabling block dump with:echo 1 > /proc/sys/vm/block_dump and take a look at it with dmesg helped track down which processes were accessing the disk. Much more reliable than iotop. Turns out, sar was running continually, writing out to /var/log/sa/saXX so I disabled that in cron.d, and all is well again

Solution 2:

It sounds like you have a script or program that is using sudo to try and do stuff as root. You can enable logging in sudo to figure out what they are trying to do and come up with a better solution (perhaps a setuid binary is in order). Here is more info on sudo (like how to enable logging):

http://aplawrence.com/Basics/sudo.html