Last Updated: February 25, 2016
· davewatts

Monitoring File Access in Real Time on Linux

Files get changed, it's pretty much what they're there for. Sometimes, though, they change when you don't expect them to. Sometimes repeatedly, no matter how much you chmod them. If this case, it's useful to be able to find out what is making the changes, and when.

The auditd package provides utilities that make this easy. Install it using your favourite package manager, and then use the following commands:

Create a new rule

auditctl -w <path> -p <permissions> -k <key>
  • -w <path> Watch the specified path
  • -p <permissions> Operations to watch for (mapped to permissions: [r]ead, [w]rite, e[x]ecute, [a]ttributes)
  • -k <key> Label to key events with, for ease of searching

Find events

ausearch -f <path>
  • -f <path> Path to look for events for


ausearch -k <key>
  • -k <key> Key to look for

List rules

auditctl -l

Delete a rule

auditctl -W <path>
  • -W <path> Stop watching the specified path

From Superuser