Try to find which process has edit config by kprobe.
1, install kernel header files
sudo apt-get install linux-headers-uname -r
2, download code
git clone https://github.com/pacepi/whotouchmyfile.git
3, build
cd whotouchmyfile
4, run
sudo insmod probe.ko
5, debug
echo "file_you_want_to_watch" > /proc/sys/kernel/who_touch_my_file
6, check log
dmesg