You could use in-kernel mechanism inotify
for monitoring accessed files.
First you should check if inotify
is turned on in kernel:
pbm@tauri ~ $ zcat /proc/config.gz | grep CONFIG_INOTIFY
CONFIG_INOTIFY=y
CONFIG_INOTIFY_USER=y
Next thing to do is install inotify-tools
. Instructions for various distributions you could find at project page - it should be in repositories of all major distributions.
After that inotify is ready to work:
inotifywait /dirs/to/watch -mrq
(m
= do not exit after one event, r
= recursive, q
= quiet)
For example - output after ls /home/pbm
pbm@tauri ~ $ inotifywait /bin /home/pbm -mq
/bin/ OPEN ls
/bin/ ACCESS ls
/bin/ ACCESS ls
/home/pbm/ OPEN,ISDIR
/home/pbm/ CLOSE_NOWRITE,CLOSE,ISDIR
/bin/ CLOSE_NOWRITE,CLOSE ls
Important thing is to properly set directories for watch:
- don't watch
/
recursively - there is a lot of read/write to /dev
and /proc
- don't watch your home dir recursively - when you use apps there is a lot of read/write to application configuration dirs and browsers profile dirs
In /proc/sys/fs/inotify/max_user_watches
there is configuration option that shows how many files can be watched simultaneously. Default value (for Gentoo) is about not so high, so if you set watcher to /home/
you could exceed limit. You could increase limit by using echo
(root access needed).
echo 524288 > /proc/sys/fs/inotify/max_user_watches
But before that you should read about consequences of that change.
Options that could be interesting for you:
-d
= daemon mode
-o file
= output to file
--format
= user-specified format, more info in man inotifywait
-e EVENT
= what event should be monitored (for example access
, modify
, etc, more info in man
)
I think the easiest method to achieve what you want here will be the use of iptables
along with logging to either the LOG or ULOG targets.
This will leave you with the following type of log information:
Aug 13 14:42:07 srv1 IN=eth0 OUT= MAC=00:0c:29:8c:2b:6c:00:d0:02:eb:e8:0a:08:00 SRC=75.125.70.194 DST=XXX.XXX.XXX.XXX LEN=40 TOS=00 PREC=0×00 TTL=54 ID=9566 PROTO=TCP SPT=57144 DPT=445 SEQ=2770468863 ACK=0 WINDOW=512 SYN URGP=0
Aug 13 14:45:29 srv1 IN=eth0 OUT= MAC=00:0c:29:8c:2b:6c:00:d0:02:eb:e8:0a:08:00 SRC=75.125.70.194 DST=XXX.XXX.XXX.XXX LEN=40 TOS=00 PREC=0×00 TTL=55 ID=13702 PROTO=TCP SPT=58528 DPT=445 SEQ=1217789951 ACK=0 WINDOW=512 SYN URGP=0
You'll then be able to use standard tools such as awk
or grep
to pull data from this when you want to see what's going on on this system.
2 rules such as these should log any "NEW" connections that are either incoming or outgoing. These will prefix the rules so that they're esaier to spot:
iptables -I INPUT -m state --state NEW -j LOG --log-prefix "New Connection: "
iptables -I OUTPUT -m state --state NEW -j LOG --log-prefix "New Connection: "
Resulting in log entries like this:
[ 2134.566659] New Connection: IN= OUT=wlan0 SRC=192.168.178.229 DST=192.168.178.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65094 DF PROTO=UDP SPT=55717 DPT=53 LEN=40
References
Best Answer
You can use
strace
for this:strace
traces system calls and prints a description of them to standard error as they occur. The-f
option tells it to track child processes and threads as well.-e
lets you modify the calls it will track:-e trace=file
will log every use ofopen
,unlink
, etc, but no non-file actions.If you want to see what was read from and written to files, change it to
-e trace=file,read,write
instead; you can list out any additional calls you want to examine there as well. If you leave off that argument entirely you get every system call.The output is like this (I ran
mkdir /tmp/test
in a traced shell):You can log to a file instead of the terminal with
-o filename
, and make the output (even) more verbose with -v. It's also possible to attach to an already-existing process with-p PID
, in case that's more useful.If you're looking to do this programmatically, rather than to inspect yourself, look at the
ptrace
call, which is whatstrace
is built on.