Monitoring File Access in Real Time on Linux
Files get changed, it's pretty much what they're there for. Sometimes, though, they change when you don't expect them to. Sometimes repeatedly, no matter how much you chmod them. If this case, it's useful to be able to find out what is making the changes, and when.
The auditd package provides utilities that make this easy. Install it using your favourite package manager, and then use the following commands:
Create a new rule
auditctl -w <path> -p <permissions> -k <key>-
-w <path>Watch the specified path -
-p <permissions>Operations to watch for (mapped to permissions: [r]ead, [w]rite, e[x]ecute, [a]ttributes) -
-k <key>Label to key events with, for ease of searching
Find events
ausearch -f <path>-
-f <path>Path to look for events for
or
ausearch -k <key>-
-k <key>Key to look for
List rules
auditctl -lDelete a rule
auditctl -W <path>-
-W <path>Stop watching the specified path
From Superuser
Written by davewatts
Related protips
Have a fresh tip? Share with Coderwall community!
Post
Post a tip
Best
#Linux
Authors
Sponsored by #native_company# — Learn More
#native_title#
#native_desc#