Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Monitoring file access in Linux

For an application I'm writing, I want to know which all processes are accessing a particular file and dump that information into a Log file. In the end one of the processes will be deleting this file, I would want to know the Process name for that too.

I can use the INotify library to monitor the file access, but it does not give me the process name which is accessing the file. This might be possible using the Auditctl package on linux as well but I can't use this option as well :-(

Actually it is a controlled environment for some reasons the end customer is ready to run a program but not ready to install new packages or make changes to the existing utilities.

like image 400
Geek Avatar asked Nov 13 '22 07:11

Geek


1 Answers

It is not possible to reliably audit directly attached file access in Linux from userspace alone.

You could poll with lsof but you would risk not detecting accesses between polling. The purpose of the original dnotify module (obsoleted by inotify...) was to avoid having to incur the overhead of polling and to avoid loosing events. The audit system gives user identification at the time of file open.

If you can move the file to an NFS server, then you can use the NFS logging to record access to the file.

The customer could be correct about not installing new packages if this is a production server or if it is a development server that is about to go live. You should consider asking for authorization to set up auditing on the next development or testing server.

like image 130
Eli Rosencruft Avatar answered Nov 23 '22 23:11

Eli Rosencruft