[SOLVED] trace writes to file

BenCollver · 02-14-2010, 10:55 PM

Does Linux have a way to trace writes to a file?

For each write, I would like to know the time, date, process id, user, file position, byte count, and the data written.

I could use this with a script to replay the writes to a backup of the original file, and reproduce the file contents as they were at a point in time.

-Ben

Simon Bridge · 02-15-2010, 01:51 AM

It is not clear what you mean by "write". Its meaning in computer science is a bit general for your use. Can you be specific about what you want to do? Right now it looks like you are trying to write spyware.

Perhaps you want a simple output to get recorded to a log, along with details about what it is. May be useful in debugging. An example would be the syslog. This immediately suggests logger(1).

Generally you'd have to write the script to produce the log file you needed.

BenCollver · 02-15-2010, 11:20 PM

I mean the write() system call. I am not considering memory mapped I/O. The write() system call is logged by the strace command, but that is per process. I want to find something that is per inode.

Just as an example, I may have an mbox file that could be written to directly from any number of processes including Thunderbird, mutt, and imapd. I would like to be able to tell what was written by Thunderbird, and what was written by mutt.

How would I write a script to do this? I assure you that I am only going to use this on my own computer.

Thank you,

-Ben

BenCollver · 11-28-2010, 09:46 AM

In BSD this would be done with systrace. In SELinux it can be done with an auditallow policy. This thread solved by SELinux.

BenCollver · 12-05-2010, 11:30 AM

p.s.

There is also auditd(1)