/etc/hosts gets over written

Solution 1:

As a tool to help you find the culprit, here is a dtrace oneliner which prints the pid and name of any process which opens a file for writing, together with the filename:

dtrace -qn 'syscall::open*:entry /arg1&3/ { printf("%d %s %s\n", pid, execname, copyinstr(arg0)); }'

It needs to be run as root (e.g., with sudo). Pipe it into grep hosts to avoid drowning in output and missing what you are looking for:

sudo dtrace -qn 'syscall::open*:entry /arg1&3/ { printf("%d %s %s\n", pid, execname, copyinstr(arg0)); }' | grep hosts

Hopefully, this will tell you what process is overwriting the file. Just let it run in a terminal window until it triggers.

Solution 2:

For me it's in the file

/etc/pulse-hosts.bak

You have to edit this file to customize your hosts directives

When you are going to reconnect/connect using the Pulse Secure VPN, it's going to merge the directives from the

/etc/pulse-hosts.bak

with the content from Pulse directives and creates the

/etc/hosts

2018 Update

With the newer version of Pulse Secure you have to exit the program first (check your active process).

Modify your host (/etc/hosts) and then restart Pulse Secure.