watching all activity on a file?

Bill McGonigle bill at bfccomputing.com
Thu Dec 20 16:45:22 EST 2007 

On Dec 20, 2007, at 14:31, Stephen Ryan wrote:

> inotify / inotify-tools.

inotify looks like currently useful kernel facility.

inotify:
   is the replacement for dnotify
   needs a 2.6.8+ kernel

Get/build (if not in your repos):
   wget http://superb-east.dl.sourceforge.net/sourceforge/inotify- 
tools/inotify-tools-3.12.tar.gz
   tar -zxvf inotify-tools-3.12.tar.gz
   cd inotify-tools-3.12
   ./configure --prefix=/usr/local && make && make check && make install

What does it do?:

for:

   mkdir ~/testdir
   ls -l ~/testdir/
   file ~/testdir/
   mv ~/testdir ~/nottestdir
   mv ~/nottestdir/ ~/testdir
   rmdir ~/testdir

#/usr/local/bin/inotifywatch ~/testdir/
   Establishing watches...
   Finished establishing watches, now collecting statistics.

   total  close_nowrite  open  move_self  delete_self  filename
   6      1              1     2          1            /home/ 
bfccomputing/testdir/

#/usr/local/bin/inotifywait -m ~/testdir

   Setting up watches.
   Watches established.
   /home/bfccomputing/testdir/ OPEN,ISDIR
   /home/bfccomputing/testdir/ CLOSE_NOWRITE,CLOSE,ISDIR
   /home/bfccomputing/testdir/ MOVE_SELF
   /home/bfccomputing/testdir/ MOVE_SELF
   /home/bfccomputing/testdir/ DELETE_SELF
   /home/bfccomputing/testdir/ IGNORED

This is useful, but I was hoping to also get the PID that was  
piddling so I could find out why a certain file was being messed  
with.  None of the API's I looked at have such a field.  I haven't  
read the kernel source yet, but I assume it's not there based on none  
of the API's including it.  It could be that the filesystem isn't  
aware, I'm ignorant here.  If that is the case, I assume a higher- 
level API would be required to catch the whole transaction.

In the meantime I'll probably try to use the Perl API and process  
auditing to come up with a decent guess.

FAM looks like it was designed with the same goals in mind, but  
appears to not be currently maintained (they're 'working on' dnotify  
support...).  FAM is portable to IRIX, though.  FAM doesn't have  
'responsible PID' either.

Thanks, all!

-Bill

-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Cell: 603.252.2606
http://www.bfccomputing.com/    Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf

More information about the gnhlug-discuss mailing list