Using audit as extended inotify

Using audit as extended inotify

[Tyler Hardin]

[-- Attachment #1.1: Type: text/plain, Size: 357 bytes --]

I want to monitor file and directory creation, modification, and deletion
on some large subtrees (/etc/, /usr/share/, and ~/.config/). And I want the
name of the executable that caused the event. The purpose will be to
facilitate cruft detection and removal.

Can audit do this? Will using it to do this with such large subtrees become
a performance issue?

[-- Attachment #1.2: Type: text/html, Size: 403 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Using audit as extended inotify

[Steve Grubb]

On Monday, July 27, 2015 07:30:33 PM Tyler Hardin wrote:
> I want to monitor file and directory creation, modification, and deletion
> on some large subtrees (/etc/, /usr/share/, and ~/.config/). And I want the
> name of the executable that caused the event. The purpose will be to
> facilitate cruft detection and removal.

You cannot use globbing in the path.

 
> Can audit do this? Will using it to do this with such large subtrees become
> a performance issue?

It sort of can. You can monitor directory creation, file creation, and 
deletion. Modification is where you start to have an issue. What you can see is 
the file is opened with a write flag. But you have no idea if it actually 
changed the file. You should be able to see the process doing it. But, I think 
you might get a lot of records to process. Give it a try.

-Steve