1

strace can monitor only one single processes not all, lsof is not a good way too, it's not a real time tool, maybe I need a real time version of lsof? How to list all the processes which have accessed a particular file?

semuci
  • 11
  • 1
    I think you're looking for either auditd (not for the faint-hearted) or inotify. – doneal24 Sep 27 '18 at 12:22
  • You can relate to this : https://unix.stackexchange.com/questions/18684/access-history-of-a-file – Nico Sep 27 '18 at 12:29
  • Issue following in command prompt respectively auditctl -w /path/to/afil.txt tail -f /var/log/audit/audit.log When I open afil.txt, /var/log/audit/audit.log has no change, audit.log get refreshed if I move afil.txt to Trash, but not the huge number of things as they said, is that any mistake in my issue? – semuci Sep 29 '18 at 13:10
  • Issue following in command prompt respectively auditctl -w /path/to/afil.txt tail -f /var/log/audit/audit.log When I open afil.txt, /var/log/audit/audit.log has no change, audit.log get refreshed if I move afil.txt to Trash, but not the huge number of things as they said, is that any mistake in my issue? – semuci Sep 29 '18 at 13:21
  • very sorry for comment formatting – semuci Sep 29 '18 at 13:26

1 Answers1

2

You can use fanotify(7). It's similar to inotify, but it tells you the PID of the accessing process.

Joseph Sible-Reinstate Monica
  • 3,323
  • I forget to tell you I have only one suspicious program running on my Linux needs to be monitored, will the program call other "normal" programs for the access? – semuci Sep 29 '18 at 10:25
  • Issue following in command prompt respectively auditctl -w /path/to/afil.txt tail -f /var/log/audit/audit.log When I open afil.txt, /var/log/audit/audit.log has no change, audit.log get refreshed if I move afil.txt to Trash, but not the huge number of things as they said, is that any mistake in my issue? – semuci Sep 29 '18 at 13:04