> Le 09/03/2019 ?? 10:03, Didier Kryn a ??crit??:
> >Le 09/03/2019 ?? 09:34, golinux@??? a ??crit??:
> >>I'd recommend adding an inotify rule to record which processes
> >>look at these files, and publishing this - here.
> >
> >Unfortunately inotify doesn't tell which process accessed the file
> >)~:
>
> But fanotify() is perfectly suited (~:

Excellent. There are also tricks involving the audit subsystem, maybe
fuse and certainly strace (strace -e open). I have checked some of my
systems and so far I can see

dnsmasq
udev
dbus
systemd-*

looking at machine ids. Dnsmasq might warrant a close look - hopefully
that id does not get disclosed during dhcp negotiation...

The other three in that list I disable whenever possible already, and
the above provides yet further confirmation this is prudent.

regards

marc