/etc/passwd continually accessed

io amazon-ec2

Solution 1:

As you are using CentOS, you should be able to find out what sudo is doing by looking in /var/log/secure e.g.

sudo tail /var/log/secure

Oct 4 03:45:44 ec2-centos-instance sudo: iain : TTY=pts/0 ; PWD=/home/iain ; USER=root ; COMMAND=/usr/bin/tail /var/log/secure

Edit: Updating with answer from comments

Enabling block dump with:echo 1 > /proc/sys/vm/block_dump and take a look at it with dmesg helped track down which processes were accessing the disk. Much more reliable than iotop. Turns out, sar was running continually, writing out to /var/log/sa/saXX so I disabled that in cron.d, and all is well again

Solution 2:

It sounds like you have a script or program that is using sudo to try and do stuff as root. You can enable logging in sudo to figure out what they are trying to do and come up with a better solution (perhaps a setuid binary is in order). Here is more info on sudo (like how to enable logging):

http://aplawrence.com/Basics/sudo.html

Related

Dell PowerEdge t710 virtualization suggestions
Why is dropping an index on MyISAM table so slow?
Cutting down network noise on an industrial control network
Possible to use grep simply for finding files in a directory structure?
Making our small business network PCI-DSS Compliant [closed]
What is the best way to clone Win7 machines?
What hardware & software consideration does a major website require to properly manage 1000+ servers? [closed]
Make folders on multiple drives appear in a single folder without using symlinks
How to Block psexec?
motd login message won't save after restart
Does IIS7 have in-built, or available extensions, for responding to scan attempts?
Redundant NFS on Amazon EC2