I'm splitting this out from https://github.com/pirate/security-growler/issues/24, I want to add an alert whenever DNS resolvers change on the system, as these can be used to snoop on traffic and redirect people maliciously.
We can watch for the following event in the syslog, or just manually check the dns resolution conf and alert whenever it changes.
DNS change line found in syslog: mDNSResponder: SIGHUP: Purge cache
file containing DNS resolution order: /etc/resolv.conf
I'm splitting this out from https://github.com/pirate/security-growler/issues/24, I want to add an alert whenever DNS resolvers change on the system, as these can be used to snoop on traffic and redirect people maliciously.
We can watch for the following event in the syslog, or just manually check the dns resolution conf and alert whenever it changes.
mDNSResponder: SIGHUP: Purge cache/etc/resolv.conf