0

In Windows land, you can run Procmon (Process Monitor) from Sysinternals, which will show you every File access, Registry Query etc Systemwide (screenshot attached). You can then backtrack to find which process(es) are touching / accessing a particular file (or registry query).

In Linux land, I sometimes what to find which process(es) are accessing a particular file on the system - but I have no idea which process to start looking at. I am aware of strace, and I know I can attach this to more than one process - but is there a way to output every file access globally under Linux ?

Example of ProcMon On Windows

Patrick Rynhart
  • 190
  • 1
  • 11

2 Answers2

2

This being Linux, of course there is more than one way to do it.

Tracing method. Scripts that use ftrace or eBPF to trace whatever in the kernel. In this example of open(), see opensnoop. You can filter by PID or file name. Very powerful, and can be used ad-hoc, but not everyone is comfortable with writing kernel probe scripts yet.

Audit method. Configure auditd rules to log certain file access or system calls. Follow the examples of how to monitor a path" Linux audit subsystem been used in enterprise environments to meet compliance requirements. Documented, good at logging, but can't instrument everything on the fly.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
1

Sysdig will do what you are looking for. However it requires root access and the sysdig-probe module.

turbo
  • 36
  • 3
  • I'm wanting to be able to see the underlying system calls on the system, such as (for example): stat("/home/p/prynhart/.netrc", 0x7ffc8640c0a0) = -1 ENOENT (No such file or directory) Are you familiar with strace ? I'm wanting the equivalent of this but systemwide (as opposed to one - or individually specified - processes) – Patrick Rynhart May 30 '20 at 01:44
  • are you wanting to just get a view, or are you planning to pipe the output somewhere? The latter would require a loop -- the former can be seen in a tree view from htop with F5 – turbo May 30 '20 at 01:53
  • I was hoping to be able to see a "live stream" of activity - and use this to back calculate/determine which processes were undertaking calls (as opposed to sampling all processes in turn on a system). After looking around for a bit, I think that this is what I'm after (maybe ?? but I haven't used it before and I'm only interested in user space processes): https://blogs.vmware.com/opensource/2019/11/12/ftrace-linux-kernel/ – Patrick Rynhart May 30 '20 at 02:05
  • On second thoughts - maybe this isn't what I'm after (seems to be only tracing functions within the kernel). I was hoping there was basically something equivalent to "Process Monitor" by Sysinternals on Windows (all calls listed along with the processes undertaking them in one massive list). But maybe there isn't in Linux – Patrick Rynhart May 30 '20 at 02:08
  • Scenario: Some unknown process is changing some file located at '/opt/path/to/some/random/file'. You have no clue as to which process might be doing this - so how do you go about determining which process or processes are doing this ? – Patrick Rynhart May 30 '20 at 02:09
  • Furthermore, suppose that the process only exists for a very small amount of time - i.e. not fine enough resolution in terms of time for something like htop to be able to attach to the (parent) process. Hence why I was wanting to see the global "Iive feed" of all calls if this is possible. – Patrick Rynhart May 30 '20 at 02:13
  • sysdig will do what you are looking for. However it requires root access and the sysdig-probe module. Beyond that perhaps a bash script or a go or c binary could be crafted, but it would take some time ... – turbo May 30 '20 at 02:21
  • Absolutely brilliant! Sysdig is exactly what I want. I have just tested it under Ubuntu 20.04. Thank you so much! Please edit your answer and I will accept it :-). – Patrick Rynhart May 30 '20 at 02:30
  • 1
    Edited. Happy to help :) – turbo May 30 '20 at 02:32
  • Thank you. I was a bit confused because I thought at first you were telling me to just use "top". I didn't realise that htop does much more (including process sampling). But Sysdig is really what I am after for this particular scenario. Really appreciate your help and sorry for the downvote - that was my confusion. Cheers – Patrick Rynhart May 30 '20 at 02:37
  • Sysdig seems like process/system call equivalent of tcpdump (including the ability to take scap captures). Wonderful stuff - thanks again. – Patrick Rynhart May 30 '20 at 02:39