4

Situation

I have a directory /home/foo on a server, and I guess that it is not needed any more.

Unfortunately nobody can tell me if this directory is still needed.

Goal

If this directory is still needed, I want to know which process accesses it.

Current Strategy

Watch all file opens below this directory.

Why not inotify

Unfortunately the directory contains a lot of sub-directories, that's why I don't want to use inotify.

  • 1604508 files
  • 287253 sub-directories

Question

How can I watch all file opens below a directory (recursive) tree? I want to know which process access it.

Environment

  • /home is an ext4 filesystem.
  • SuSE Linux 12.3. Kernel: 3.7.10

Not duplicate

My question is not a duplicate of Is it possible to find out what program or script created a given file? since ....:

  • I can't use inotify since the directory tree contains too many sub directories.
  • I can't use loggedfs: I can't change the file system type of this directory.

Bounty

There are already two good answers. But I am curious, maybe there are other ways: Bounty of 50 :-)

Community
  • 1
guettli
  • 1,389
  • Which Linux distribution? – EightBitTony Apr 26 '16 at 10:37
  • @EightBitTony SuSE. I updated the question. – guettli Apr 26 '16 at 11:04
  • SUSE has auditd, so my answer should work. – EightBitTony Apr 26 '16 at 11:07
  • Why couldn't you make a filesystem of /home/foo? – dan May 12 '16 at 08:27
  • @danielAzuelos /home/foo is already a filesystem. I guess you mean "why couldn't you change the filesystem type?". Right? – guettli May 12 '16 at 08:33
  • No. You indicated this detail for /home not for /home/foo. My idea was to suggest you to make an independant FS of /home/foo and to track any /dev/rdiskn raw device access. – dan May 12 '16 at 15:13
  • 1
    You can always take the low-tech approach of removing the directory tree (after backing up the fs, of course) and seeing who or what complains. :) – jayhendren May 12 '16 at 22:32
  • @jayhendren the directory tree is huge, and in the backup. I could do a remove and restore, but this would cause a lot of IO which would impact the service of this machine. That's why I want a solution without changing the filesystem type. Do you understand my concerns? If not, please ask :-) – guettli May 13 '16 at 06:46
  • SystemTap can be used to monitor opening files like described here...you can delete all but the syscall.open.return probe (as you do not need to monitor reads and writes)...good luck! – vlp May 15 '16 at 21:30
  • This one is interesting as well... – vlp May 15 '16 at 21:33
  • 1
    @jayhendren I fully support the BOFH method of "removing it and seeing who complains". – Zanchey May 16 '16 at 19:29

3 Answers3

8

You should be able to use auditd (although it depends on your Linux distribution having it available).

The auditctl command is used to configure auditing, and the man page should describe how to achieve what you need.

Something like,

auditctl -w /home/foo -p war -k foo-watch

You can then search the audit log later using,

ausearch -k foo-watch

An example of doing this on SUSE can be found here.

EightBitTony
  • 21,373
5

I don't know if it's enabled in SuSE, but the fanotify api watches an entire filesystem. There is even a simple utility fatrace that will show you each file being opened, read, written, closed. Example

$ cd; sudo fatrace -f O -c 
tail(1500): CO /home/meuh/dot/privoxy/logs/160426
ls(28599): O /home/meuh
bash(2075): O /home/meuh/dot/bashhistory.xt-right

The -f O is just to trace opens, and -c to just trace the entire filesystem which holds the current working directory. You can optionally get a timestamp too.

meuh
  • 51,383
  • fatrace is available for openSUSE >13.1, not before, according to http://software.opensuse.org/package/fatrace?search_term=fatrace (expand the lists to find there's no package for 12.3). – L. Levrel May 18 '16 at 09:56
  • I hope we get a more recent Linux soon :-) – guettli May 19 '16 at 08:14
1

I can see several ways:

  • if your filesystem containing /home/foo is mounted with the atime (or equivalent for your filesystem's type), you can then use find /home/foo -atime +10 -ls to see if any of its files has been accessed in less than 11 days

  • or if you prefer to "poke" and see if right now something is accessed under this directory : lsof | grep /home/foo should give you some clue (to test: cd /home/foo ; lsof | grep /home/foo : should at least outputs your shell's pid, as it now has its cwd (current working directory) under that path...)

( note: I can't test both right now, no linux at hand... but I think both should work )

Olivier Dulac
  • 6,285