Find all changes in filesystem done by a process in Linux/Mac?

Question

Let's say I am going to run a Mac program that will be doing some patching in my home directory. The program requires ROOT privileges to run and I don't know for sure what it does indeed because I don't have source code.

How can I see a list of all changes in file system by a program?

I know I can list currently opened files by lsof -p pid . But how do I see retrospectively all changes that the program made in my entire file system?

Another thing that comes to mind is using find but I didn't figure that one out.

Side question. Does the pid change when the app gains ROOT privileges?

score 2 · Answer 1 · answered Feb 25 '20 at 12:00

2

You can use strace to record all actions done by application. In fact it can trace all children which could be spawned by original command.

strace -o traces -ff ./your-app-to-trace

this will generate multiple trace files (one file per process). Then you can grep them to see what files were touched and what was written to them.

answered Feb 25 '20 at 12:00

Maxim Sagaydachny

2,098
3
11
22

this is good! Although I need to find some working equivalent for MacOs – user3732445 Feb 25 '20 at 20:22

Find all changes in filesystem done by a process in Linux/Mac?

How can I see a list of all changes in file system by a program?

1 Answers1