Situation
I have a directory /home/foo on a server, and I guess that it is not needed any more.
Unfortunately nobody can tell me if this directory is still needed.
Goal
If this directory is still needed, I want to know which process accesses it.
Current Strategy
Watch all file opens below this directory.
Why not inotify
Unfortunately the directory contains a lot of sub-directories, that's why I don't want to use inotify.
- 1604508 files
- 287253 sub-directories
Question
How can I watch all file opens below a directory (recursive) tree? I want to know which process access it.
Environment
/homeis an ext4 filesystem.- SuSE Linux 12.3. Kernel: 3.7.10
Not duplicate
My question is not a duplicate of Is it possible to find out what program or script created a given file? since ….:
- I can't use inotify since the directory tree contains too many sub directories.
- I can't use loggedfs: I can't change the file system type of this directory.
Bounty
There are already two good answers. But I am curious, maybe there are other ways: Bounty of 50 🙂
Best Answer
You should be able to use
auditd(although it depends on your Linux distribution having it available).The
auditctlcommand is used to configure auditing, and the man page should describe how to achieve what you need.Something like,
auditctl -w /home/foo -p war -k foo-watchYou can then search the audit log later using,
ausearch -k foo-watchAn example of doing this on SUSE can be found here.