See what process last touched a file
On a Fedora system, you can use:
sudo auditctl -p a -w /some/file # monitor attribute changes to /some/file
It's in the audit
package, if you don't have that installed, then sudo yum install audit
The output goes into /var/log/audit/audit.log
in the form:
type=SYSCALL msg=audit(1325185116.524:1133): arch=c000003e syscall=2 success=yes exit=3 a0=671600 a1=241 a2=1b6 a3=9 items=1 ppid=26641 pid=26643 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="jmacs" exe="/usr/bin/joe" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1325185116.524:1133): cwd="/tmp"
type=PATH msg=audit(1325185116.524:1133): item=0 name="/etc/passwd" inode=531545 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
It's a bit dense, but note the msg=audit(###)
strings line up across multiple lines.
- Now that I actually read the manpage for the first time ever, I see some cautions about using
-Farch=b32
/-Farch=b64
, so it seems that there is some possible weirdness about 32-bit-vs-64-bit syscalls, so if you don't get an audit hit, that might be why. I've never really seen this bit before, but I haven't really run any 32-bit processes since the Athlon era, so I can't speak to it very well.
how to know which processes accessed a file?
The linux audit system can help you and will provide detailed information:
Here's some documentation on Redhat's site, but should be adaptable to other linux variants. Most distros have the audit system but may be an optional install. (also see man pages for the commands below)
Assuming the audit subsystem is already running, you can add a rule to watch read access on your example file like this:
auditctl -w /etc/AAA -p r -k mywatch
(-w tells what file to watch, -p tells what activity to watch for [in this case read], and -k is an arbitrary key that can be used to find the records later)
Then you can see the results with the command:
ausearch -k mywatch
or watch the audit.log file (in /var/log/audit on some systems)
Limitation: Note that the filesystem watch (with -p) only logs the opening of a file (with read or write permission), not the time of individual read/write calls. Reading/Writing a large file for example would otherwise generate too many log messages and use up your log file space, so it doesn't do that, it just records the opening of the file. So, in theory a program that's a long running daemon, could open a file for writing at startup (which would be logged) but then not write to it until days later (which wouldn't be logged). Still it should be useful for observing short-lived programs that make a quick change to a file. If you really do want to watch individual calls, there is the -S option to watch syscalls, but use with caution as you can quickly overwhelm your logs if too general.
How do you determine the last process to modify a file?
No. It is not recorded.
You could enable Object Access Auditing on a particular folder (I wouldn't recommended using on the general file system). See this post and use with caution!
You might be able to use .NET's FileSystemWatcher class.
Find process that created a file on windows
In general, no. Windows does not record the process that created a given file.
You might be able to use something like SysInternals Process Monitor, which hooks file (and registry I/O), to see if you can catch the file being created, but once it's created (and the last file handle is closed), Windows forgets which process it came from.
If the file is open in a process that's currently running, you can use Process Explorer (also from SysInternals) to find out which one.
If you recognise the file extension, that can sometimes help. Or, maybe you can look in the file to see if there's anything obvious in it.
How do I pull the 'last modified time' of each file within a directory in Python?
The os.listdir()
method lists the files of the given path excluding the path, hence you will need to concatenate the path yourself:
for file in os.listdir('../File Transfer/Old Files/'):
if file.endswith('.txt'):
time_mod = os.path.getmtime('../File Transfer/Old Files/' + file)
print(time_mod)
The glob.glob()
method works great in cases like this:
import os
import glob
for file in glob.globr('../File Transfer/Old Files/*.txt'):
time_mod = os.path.getmtime('../File Transfer/Old Files/' + file)
print(time_mod)
You can get the amount of hours passed since the last modification of each file like so:
import os
from time import time
PATH = '../File Transfer/Old Files/'
for file in os.listdir(PATH):
if file.endswith('.txt'):
time_mod = time() - os.path.getmtime(PATH + file)
print(time_mod // 3600)
How find out which process is using a file in Linux?
You can use the fuser
command, which is part of the psmisc
package, like:
fuser file_name
You will receive a list of processes using the file.
You can use different flags with it, in order to receive a more detailed output.
You can find more info in the fuser's Wikipedia article, or in the man
pages.
Related Topics
Programmatically Set Custom Folder/Directory Icon in Linux
Why Does Bash Not Stop on Error for Failures in Sequence of Short-Circuited Commands
What Is The Equivalent of _Emit on Linux
Operand Generation of Call Instruction on X86-64 Amd
Linux Shell Scripting: Hex Number to Binary String
Setuid on an Executable Doesn't Seem to Work
Fedora 28/Glibc 2.27 Libm.So.6 Logf() and Powf() C++
Awk: Find and Replace in Certain Field Only
Does Anyone Know Where to Define The Hardware, Revision and Serial No. Fields of /Proc/Cpuinfo
Why Does The -R Option (Relocatable) Make Ld Not Find Any Libraries
Which Os/Platforms Implement Wait Morphing Optimization
How to Detect Availability of Gui in Bash/Shell
Setfacl in Dockerfile Has No Effect
Generating a Comprehensive Callgraph Using Gcc & Egypt
What's The Advantage of 3G/1G Vm Split ? 32Bit Linux Kernel