# Monitoring file access

## kakakoka

Recently something is modifying my printcap file (probably cups), and I'd like to know what it is. Is there a way to monitor which processes are accessing a file?

----------

## br0mGreV

http://www.sysinternals.com/linux/utilities/filemon.shtml would help you. Not sure it is in the portage tree.

EDIT :

extract from the webpage, which means my answer may not work ...

Note: Linus' policy of not preserving backward compatibility in kernel development has broken Filemon and made obsolete the approach it takes to monitor file system access on recent kernel releases. Unfortunately, there's no alternative mechanism for monitoring file system accesses (including reads) in real-time, and while other system-level tools that take the same approach as Filemon of patching the system-call table (like Intel's Vtune) work-around the changes with hacks, I'm not willing to invest the time on something so prone to breaking. 

----------

## tuxmin

Did you try fam?

Alex!!!

----------

## b52_

Hi folks,

i also searched a tool to log file accesses and found SNARE which can do this.

I didnt test it until now, but i will do this soon.

You can find it at http://www.intersectalliance.com/projects/Snare/index.html.

When you look at the first Screenshot you can read statements like "file foo has been removed by user bar"

Here a little snip of the documentation:

 *Quote:*   

> The audit module interfaces with the kernel, and wraps critical system calls such as 'execve' (execute a command), 'open' (open a file), 'mkdir' (create a directory), in a routine which gathers information about the process and user that executed,or attempted to execute, the system call in question. The audit module then stores the information in a temporary buffer ready for retrieval by the user-space audit daemon (auditd).
> 
> The kernel patch modifies selected Linux system calls such as 'execve' and so on, to call a separate audit process that stores the information in a temporary buffer ready for retrieval by the user-space audit daemon (auditd).
> 
> The (user-space) audit daemon reads event data from the kernel via the device "/proc/audit". It converts the binary audit data into text format , and separates information into a series of "tokens".

 

You need a kernel module and a daemon to get this "tokens", but they are not good to read. Thus, there is also a Gui available.

Well its not in portage until now, but i would be pleased if somebody could do this  :Smile: 

Thanks,bye,b52

----------

## jtome7

The auditd daemon is meant to watch files for any changes; however, I have not been able to get "auditd" ( auditctl, ausearch ) to work on Gentoo.  We installed the Portage package and rebooted, but still get errors when trying to add an audit rule.  CAN ANYBODY HELP SOLVE THAT?

$ sudo emerge -av sys-process/audit

 # /etc/init.d/auditd start

 * status: started

# auditctl -w /var/www/localhost/htdocs/.htaccess -p war -k htaccess

Error sending add rule data request (Invalid argument)

----------

## freke

I had to enable CONFIG_AUDIT + CONFIG_AUDITSYSCALL - then it worked (also had to create the /var/lock/subsys-dir where the init-script wants the lock file)

----------

