See what process last touched a file

Question

On a linux box that there is some process regularly changing permissions on directories and files, roughly daily. This is not a process that I set up and I have no idea what it is.

I have root access and I can easily change permissions manually to get access back but it is a bit annoying.

Is there an way to see a list of processes that have last touched a file? Or alternatively how would I go about logging process activity on the file.

Answer 1

On a Fedora system, you can use:

sudo auditctl -p a -w /some/file  # monitor attribute changes to /some/file

It's in the audit package, if you don't have that installed, then sudo yum install audit

The output goes into /var/log/audit/audit.log in the form:

  type=SYSCALL msg=audit(1325185116.524:1133): arch=c000003e syscall=2 success=yes exit=3 a0=671600 a1=241 a2=1b6 a3=9 items=1 ppid=26641 pid=26643 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="jmacs" exe="/usr/bin/joe" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
  type=CWD msg=audit(1325185116.524:1133):  cwd="/tmp"
  type=PATH msg=audit(1325185116.524:1133): item=0 name="/etc/passwd" inode=531545 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0

It's a bit dense, but note the msg=audit(###) strings line up across multiple lines.

• Now that I actually read the manpage for the first time ever, I see some cautions about using -Farch=b32/-Farch=b64, so it seems that there is some possible weirdness about 32-bit-vs-64-bit syscalls, so if you don't get an audit hit, that might be why. I've never really seen this bit before, but I haven't really run any 32-bit processes since the Athlon era, so I can't speak to it very well.