How to find what programs are reading my file?

Question

I have a configuration file and want to learn what executables are using it (if any). I want to catch who is the reader of this file.

If I watch with some interval, I miss it, because the read happens so quickly:

watch -d -n 1 "lsof /home/me/my.conf"

If I try to execute the program I'm pretty sure uses it under the auspices of strace, it fails because of the additional delay strace introduces.

strace -o /tmp/$(date +%s)_myprog.trace myprog

How can I reliably prove that myprog is NOT reading this file?

Answer 1

Watching what files a process open, or what processes open a file seems a job for sysdig.

From the sysdig examples page

Basic opensnoop: snoop file opens as they occur

sysdig -p "%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name" evt.type=open

Observe the I/O activity on all files named my.conf

sysdig -A -c echo_fds "fd.filename=my.conf"

Fom man sysdig

NAME sysdig - the definitive system and process troubleshooting tool

SYNOPSIS sysdig [option]... [filter]

DESCRIPTION.

   sysdig is a tool for  system  troubleshooting,  analysis  and  explo‐
   ration.   It  can  be used to capture, filter and decode system calls
   and other OS events.
   sysdig can be both used to inspect live systems, or to generate trace
   files that can be analyzed at a later stage.

   sysdig  includes  a powerul filtering language, has customizable out‐
   put, and can be extended through Lua scripts, called chisels.