Monitoring filesystem activity

linux files security process monitoring
5,354

You can use strace for this:

strace -f -e trace=file command args...

strace traces system calls and prints a description of them to standard error as they occur. The -f option tells it to track child processes and threads as well. -e lets you modify the calls it will track: -e trace=file will log every use of open, unlink, etc, but no non-file actions.

If you want to see what was read from and written to files, change it to -e trace=file,read,write instead; you can list out any additional calls you want to examine there as well. If you leave off that argument entirely you get every system call.

The output is like this (I ran mkdir /tmp/test in a traced shell):

[pid  1444] execve("/usr/bin/mkdir", ["mkdir", "/tmp/test4"], [/* 33 vars */]) = 0
[pid  1444] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
[pid  1444] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
[pid  1444] open("/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
[pid  1444] open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
[pid  1444] mkdir("/tmp/test", 0777)    = 0
[pid  1444] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=1444, si_status=0, si_utime=0, si_stime=0} ---

You can log to a file instead of the terminal with -o filename, and make the output (even) more verbose with -v. It's also possible to attach to an already-existing process with -p PID, in case that's more useful.

If you're looking to do this programmatically, rather than to inspect yourself, look at the ptrace call, which is what strace is built on.

Share:
5,354

Related videos on Youtube

user1458245
Author by

user1458245

Updated on September 18, 2022

Comments

  • user1458245
    user1458245 over 1 year

    Say, I have a program, and I want to monitor its filesystem activity (what files/directories are created/modified/deleted etc.) This program may be capable of spawning further processes, and thus, I would like to get the activity of these spawned processes too.

    How should I go about doing this?

    • Bratchley
      Bratchley almost 10 years
      Not where I can post a full answer but google fatrace

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Getting disk i/o statistics for single process in Linux
What is the difference in CPU utilization between 'ps aux' and 'ps -ef'?
Hidden Files&Directories in user's home directory
Linux : See CPU usage by a process for the last second
How to know recently updated files
Automatically Kill/Restart Process(es) When Memory is Critically Low
How can I see which processes locked a file?
Does anyone know a simple way to monitor root process spawn
monitor open process files on linux (real-time)
Monitor an incoming SSH session in real time