1

I'm using an automation tool to build a virtual machine. During the this automation a config file (/etc/myprogram/cofig.ini) is becoming empty.

This file's contents are required complete the automation, but I'm clueless which process is emptying the file.

I want to monitor a file and list the name of processes changed the contents of the file.

I'm using Ubuntu 16.04.

I saw some questions in Stackoverflow but did help. I tried to use audictl inotify and watchdog . Please let me know any better way to do this. Is there a way to do this using python.

RMK
  • 1,111
  • 4
  • 14
  • 33
  • `inotify` should be able to show whether any other processes are changing the content. How did you use it? – l0b0 Jul 09 '17 at 18:13

2 Answers2

3

The lsof command will show what processes are using which files:

lsof | grep <filename>
Jack
  • 5,801
  • 1
  • 15
  • 20
3

you can use lsof. this command is for find out what processes currently have the file open. if process opening the file, writing to it, and then closing it you can use auditing.

/sbin/auditctl -w /etc/myprogram/cofig.ini -p war -k config.ini-file

-w watch etc/myprogram/cofig.ini
-p warx watch for write, attribute change, execute or read events
-k config.ini-file is a search key.

wait till the file change then use 

/sbin/ausearch -f /etc/myprogram/cofig.ini | more
omid abbasi
  • 131
  • 5