can anyone recommend a program I can use to monitor file read/write access. I wanna use this to find out which file I need to modify to change configuration settings as well as which file to lock down so that other users cannot modify them. hopefully something that can catch burst writes-- application: leave program running->change settings through GUI->save settings->find file writes on the output during time I clicked on save. looking for filemon (from sysinternals.com) like application.

Have already looked at lsof and problem there is that am not sure it will catch burts writes and even if it did, it doesn't seem to tell me whether file is being read or written to, there is also no access time information so if I were to use it I would have to check all the files listed to find which one I need- I think this is impractical for programs that use tons of files..

just my opinion, but I think the file organization in linux is a bit too crowded- some files that users might wanna modify (like configuration settings) seem to be lumped together in the same directory. also, when I install a package through a package manager like synaptic - it doesn't ask me where to install the program which makes me wonder whether the programmer completely read through the documentation for standard file locations and adhered to it (which I doubt very much since it is kinda long). Anyway, sorry 'bout the rant - please correct me if I had any misconceptions

Thanks in advance....

Are you referring to /etc directory? If yes, then no - there is nothing in /etc users have to edit. /etc contains system-wide configuration settings, users can override these settings by creating their own configuration files in their home directories. For example, there is /etc/pine.conf where root sets all site-wide options and also specifies which parameters can be set by user in ~/.pinerc file. What is wrong with this scheme?

hello, again I am new here so probably have a lot of misconceptions. anyway, some people like me would like to modify system wide settings since usually I create many accounts for different things so I don't wanna modify the same configuration settings for each and every account. You might say that all I need to do is copy the file to the home directory in question but that would mean that I'd need to remember what it is that I changed- and yet still I think this is a waste of time if I could change the system wide setting instead.

1 more reason is for when I configure the computer for use by many other users who don't know as much or care as much about security and need to be protected from themselves. All these I have easily done in windows just with use of filemon and regmon from sysinternals.. Hopefully there are similar tools in Linux.

Nobody can remember every change made. This is why seasoned users keep logs for every computer they manage. You can also include your custom configuration files in skeleton so they are used every time a new user is created. Indeed, admin can modify system-wide conf files. But users should not have write access to them.
You can use strace and you can use some intrusion detection software - cant't name any from memory - to see what files were altered.

If you're saying that there are logs that monitor file read/write access- this is precisely what I'm looking for. Please tell me which log file. Thanks.


I could place those in skeleton but that would imply that I knew what config files (filename) I need to change in the first place which is why I started this thread to look for a utility to help me- am currently in windows so I'll try the strace later. I understand that users don't have access to system wide settings but as you yourself implied, this means that settings changed by the user are kept in his home folder- I would like to know what files these are with help of some utility to monitor file writes and modify some permissions on them so that the user cannot modify it even in his/her home directory. In my opinion files are also too crowded in the home directory- although I may have misunderstood the organization - an example would be the kde menu - can't seem to find which file I need to modify to add programs into the list. - an internet search would probably help here however, I would like to point out that in windows it's as easy as browsing the documents and settings directory.

Thanks for this suggestion and for posting here. will try this out later.. it is kinda odd that people don't seem to be interested in this utility - do linux users know where files are eventually after some experience with it? I have posted on a few other forums and I get very few responses. Seems to me that this is essential for system administration - I know it was for me in windows. Anyway, I hope this sounds more like a suggestion than a complain as I know I have no right to complain since linux is free. I would say though that linux has a long way to go before achieving usability like windows.

Uh, finally I'm starting to see your problem.
Really, Linux file tree is well organized and there is no need to search for conf files. man hier shows where files are located. man your_program describes what is the name of configuration files used.

Edit: With logs I had in mind something where you write down every change you make.

Thank you for not taking offense in my criticisms. anyway, the man pages did come to mind but then I feel that a file monitoring utility might be more helpful; not only for people who are too lazy to read but also because man pages are also written by the programmer and some programs in linux, since free so usually doesn't have the monetary support, do not have such complete documentation. An example would be kxdocker which still has incomplete documentation. Anyway, hope people get interest in this thread because I think this is important.

Too lazy to read does not fit into open source world. Linux does not hide anything, thus there is no real need to trace down things in Linux (except when debugging of course). You'll find the system itself with all utilities are well documented and there are countless HOWTO's and tutorials available on the web. www.google.com/linux is your best friend here, and these forums as well.
And here is an article which explains why one shouldn't complain before learning what (s)he is dealing with.

nonetheless, a file monitoring utility would be quite useful. It would be much easier and quicker to have a utility watch a process's I/O rather than wade through lots of docs and set up test case after test case to track down exactly which file is causing this process to fail.

Regardless of anything else, the quicker you can find a problem the better off you are. That Linux is transparent, exposing everything, doesn't mean that such a tool wouldn't be useful; Linux exposes so much that sometimes just sifting through takes awhile. A tool to monitor I/O would put you on the correct path immediately.

You realize of course this is debugging you are talking about? And you can use strace for this.

However, creating malware in linux is entirely possible. You might say that essential parts of the OS cannot by modified by program anyway since linux users always login as lower priveledged accounts. But doesn't every program have to install as root? In that time frame, wouldn't it be able to install anything? Furthermore, doesn't anything that runs on boot with init.d run as root? It seems trivial to me to insert something there while a program installs; Not to mention the existence of rootkits that do "hide" things. I know things I mentioned is responsibility of user (i.e. research program check md5 sum before installing). But forgive me for saying that I don't think the argument "linux doesn't hide anything" stands because it is same as saying you don't need to take responsibiity (by research or check md5 sum) in linux. I also find it rather disturbing that a lot of people seem to sight "open source" and program having been out there "open" for a long time as a guarantee of security - this I think only works if one can guarantee 2 things: a.) many people had taken interest in the program; b.) among those people are "competent" programmers who really did look at the code line by line. I don't think this is possible with all the programs out there as there is just too many -> what stops everyone from thinking the same thing and thus nothing gets checked. anyway, seems like strace is the program to use to track down problems- am still working on something that needs windows so can't try it yet. maybe later..

However, some programs do lack documentation. i.e. kxdocker.

I see the point and I apologize for having done so with the file organization. I think I do see the point now to the file heirarchy and do agree with it. However, I still think a file monitoring program is necessary not only for lazy people, which I see may garner very little sympathy, but also for people who just don't have the necessary background to understand some of these documentations with ease, or people who simply don't have enough time. Anyway, I do hope strace is the answer..

I can use strace for those programs which I am starting. I can't use it to just look in on a program that is already running - such as, for instance, kdeinit. I also can't use it to monitor a file to see who is invoking that file, although I can see who has that file open at any particular time with lsof.

There are some nice tools available on Windows, provided by sysinternals.com, that do these kinds of things. There isn't any reason why Linux can't have similar tools. I used to have them on the Amiga too. In fact, I wrote a couple of them for the Amiga.

Actually, this has set me to thinking. If I can just cut loose enough time to do it...

But, I fear, that won't be happening any time soon.