How to get files modified by certain process in Linux

Question

Need to find out files getting modified by certain process.

tried lsof -p processid it gives all files opened by certain process. I just want a command or set of commands to get all files opened and modified by certain process.

Answer 1

If the process is not already running, you can use strace to print system calls

strace -o logfile  <program>

After this, write a script which will look for open() and write() system calls, and able to print the lists of files which are written too.

If the process is already running, you will have to use the combination of several things

• lsof -p or /proc/<processid>/fd/*
• last modified time stamp of the files found in above
• output of strace -p <processid> to look for write() and open()

Hope that helps