See What Process Last Touched a File

See what process last touched a file

On a Fedora system, you can use:

sudo auditctl -p a -w /some/file  # monitor attribute changes to /some/file

It's in the audit package, if you don't have that installed, then sudo yum install audit

The output goes into /var/log/audit/audit.log in the form:

  type=SYSCALL msg=audit(1325185116.524:1133): arch=c000003e syscall=2 success=yes exit=3 a0=671600 a1=241 a2=1b6 a3=9 items=1 ppid=26641 pid=26643 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="jmacs" exe="/usr/bin/joe" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
  type=CWD msg=audit(1325185116.524:1133):  cwd="/tmp"
  type=PATH msg=audit(1325185116.524:1133): item=0 name="/etc/passwd" inode=531545 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0

It's a bit dense, but note the msg=audit(###) strings line up across multiple lines.

• Now that I actually read the manpage for the first time ever, I see some cautions about using -Farch=b32/-Farch=b64, so it seems that there is some possible weirdness about 32-bit-vs-64-bit syscalls, so if you don't get an audit hit, that might be why. I've never really seen this bit before, but I haven't really run any 32-bit processes since the Athlon era, so I can't speak to it very well.

how to know which processes accessed a file?

The linux audit system can help you and will provide detailed information:

Here's some documentation on Redhat's site, but should be adaptable to other linux variants. Most distros have the audit system but may be an optional install. (also see man pages for the commands below)

Assuming the audit subsystem is already running, you can add a rule to watch read access on your example file like this:

auditctl -w /etc/AAA -p r -k mywatch

(-w tells what file to watch, -p tells what activity to watch for [in this case read], and -k is an arbitrary key that can be used to find the records later)

Then you can see the results with the command:

ausearch -k mywatch

or watch the audit.log file (in /var/log/audit on some systems)

Limitation: Note that the filesystem watch (with -p) only logs the opening of a file (with read or write permission), not the time of individual read/write calls. Reading/Writing a large file for example would otherwise generate too many log messages and use up your log file space, so it doesn't do that, it just records the opening of the file. So, in theory a program that's a long running daemon, could open a file for writing at startup (which would be logged) but then not write to it until days later (which wouldn't be logged). Still it should be useful for observing short-lived programs that make a quick change to a file. If you really do want to watch individual calls, there is the -S option to watch syscalls, but use with caution as you can quickly overwhelm your logs if too general.

How do you determine the last process to modify a file?

No. It is not recorded.

You could enable Object Access Auditing on a particular folder (I wouldn't recommended using on the general file system). See this post and use with caution!

You might be able to use .NET's FileSystemWatcher class.

Find process that created a file on windows

In general, no. Windows does not record the process that created a given file.

You might be able to use something like SysInternals Process Monitor, which hooks file (and registry I/O), to see if you can catch the file being created, but once it's created (and the last file handle is closed), Windows forgets which process it came from.

If the file is open in a process that's currently running, you can use Process Explorer (also from SysInternals) to find out which one.

If you recognise the file extension, that can sometimes help. Or, maybe you can look in the file to see if there's anything obvious in it.

How do I pull the 'last modified time' of each file within a directory in Python?

The os.listdir() method lists the files of the given path excluding the path, hence you will need to concatenate the path yourself:

for file in os.listdir('../File Transfer/Old Files/'):
    if file.endswith('.txt'):
        time_mod = os.path.getmtime('../File Transfer/Old Files/' + file)
        print(time_mod)

The glob.glob() method works great in cases like this:

import os
import glob

for file in glob.globr('../File Transfer/Old Files/*.txt'):
    time_mod = os.path.getmtime('../File Transfer/Old Files/' + file)
    print(time_mod)

You can get the amount of hours passed since the last modification of each file like so:

import os
from time import time

PATH = '../File Transfer/Old Files/'

for file in os.listdir(PATH):
    if file.endswith('.txt'):
        time_mod = time() - os.path.getmtime(PATH + file)
        print(time_mod // 3600)

How find out which process is using a file in Linux?

You can use the fuser command, which is part of the psmisc package, like:

fuser file_name

You will receive a list of processes using the file.

You can use different flags with it, in order to receive a more detailed output.

You can find more info in the fuser's Wikipedia article, or in the man pages.

---

Related Topics