开发者

Can iNotify tell me where a monitored file is moved?

开发者 https://www.devze.com 2023-02-10 18:17 出处:网络
I want to monitor a file while it\'s moving in the system. Can iNotify tell me its new position whenever i开发者_如何学Got\'s moves? If you\'re watching both the directory the file was moved from, and

I want to monitor a file while it's moving in the system. Can iNotify tell me its new position whenever i开发者_如何学Got's moves?


If you're watching both the directory the file was moved from, and the directory the file was moved to, then you will receive an IN_MOVED_FROM event on the source directory and an IN_MOVED_TO event on the target directory, both with the same cookie. You can then use the name fields of the two events to find out where the file was moved to and from.

If you're only watching the source directory, or only the target directory, then you will only get one of the events, so you will only have half of the info. This is a limitation of inotify.


You can grab a file descriptor to the file before the move and read the symlink at:

'/proc/self/fd/' + $fd

where $fd is your file descriptor, this file descriptor will point to your file. Note I have only tested this on ext4 and it works with LVM2, but does not work with OverlayFS. Also opening a file descriptor will block remove events from being fired for the file.

There may also be issues between linux kernel versions


According to @slightly_toasted's answer there, you can use sudo auditctl -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F dir=/path/to/folder/to/monitor -F key=DONT_MOVE.

The DONT_MOVE key/tag is what identifies the file/folder you'll be monitoring.

You can create different tags to different files/folder you are going to watch.

To ensure that these rules are stored, append the same command (except auditctl) -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F dir=/path/to/folder/to/monitor -F key=DONT_MOVE to the /etc/audit/audit.rules file.

For this, you can use: sudo echo "-a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F dir=/path/to/folder/to/monitor -F key=DONT_MOVE" >> /etc/audit/audit.rules (it says permission denied so it need a fix)


Then

The file/folder is missing and you want to know its new path? Use ausearch -k DONT_MOVE (DONT_MOVE or any other tag you chose individually for every file/folder you wanted to monitor)

0

精彩评论

暂无评论...
验证码 换一张
取 消