[[https://pctresearch.com/|{{:banner_image.jpg?nolink&800|}}]]

===== File Access Monitor =====
{{:file_access_monitor.gif?direct&800|}}
===== install inotify-tools =====
<code Bash>
$ sudo apt install inotify-tools
</code>
The inotifywait utility can be used to wait and react to filesystem events.
<code Bash>
$ inotifywait work/aaa.txt
Setting up watches.
Watches established.
work/aaa.txt OPEN
</code>
===  Use -r (--recursive) option to include subdirectories ===
<code Bash>
$ inotifywait -r /home/wweb/www/html/dokuwiki
Setting up watches.  Beware: since -r was given, this may take a while!
Watches established.
/home/wweb/www/html/dokuwiki/data/pages/ OPEN zip.txt
</code>
^-m, --monitor|Instead of exiting after receiving a single event, execute indefinitely.  The default behaviour is to exit after the first event occurs.|
<code Bash>
$ inotifywait -m -r /home/wweb/www/html/dokuwiki
</code>
^-d, --daemon|Same as --monitor, except run in the background logging events to a file that must be specified by --outfile. Implies --syslog.|
<code Bash>
$ inotifywait -d -o <log_filename> -r /home/wweb/www/html/dokuwiki
</code>
:!: <log_filename> must be an existing file.
^--timefmt <fmt>|Set  a  time  format string as accepted by strftime(3)|
<code Bash>
$ inotifywait -d --timefmt "%a, %d %b %Y %T %z" --format "%T %w %f %e" -o ~/log/inotifylog.txt -r /home/wweb/www/html/dokuwiki

$ inotifywait -d --timefmt "%a, %d %b %Y %T %z" --format "%T %w %f %e" -o ~/log/inotifylog_IIS.txt -r /mnt/e/inetpub/wwwroot/dokuwiki
</code>
:!: Don't work on NTFS even by WSL.
==== Keep Detect Files' Access by inotifywait ====
<code Bash>
$ cat /usr/local/bin/inwatch.sh
#!/usr/bin/env bash
mkdir -p /home/pctr/log
LOGFILE=/home/pctr/log/inotify.log
echo "start inotifywait. Watching.." >> $LOGFILE
inotifywait -m --timefmt "%a, %d %b %Y %T %z" --format "%T %w %f %e" -e modify -e close_write -e moved_to -e moved_from -e move -e move_self -e create -e delete -e delete_self -e unmount -o $LOGFILE -r --fromfile /usr/local/bin/inotify.list
</code>
:!: We will then register this shell program as a system service. So the -m option is better.
<code Bash>
$ cat /usr/local/bin/inotify.list
/home/wweb/www/html/dokuwiki
@/home/wweb/www/html/dokuwiki/data/pages/.git
@/home/wweb/www/html/dokuwiki/data/locks
@/home/wweb/www/html/dokuwiki/data/cache
@/home/wweb/www/html/dokuwiki/data/index
@/home/wweb/www/html/dokuwiki/data/meta
</code>

^@<file>|When watching a directory tree recursively, exclude the specified file from being watched. The file must be specified with a relative or absolute path according to whether a relative or absolute path is given fo watched directories.|
^--fromfile <file>|Read filenames to watch or exclude from a file, one filename per line. If filenames begin with @ they are excluded as described above. |

==== Alert When Files' Access Detected ====
<code Bash>
$ cat /usr/local/bin/ialert.sh
#!/usr/bin/env bash
mkdir -p /home/pctr/log
LOGFILE=/home/pctr/log/inotify.log
LOGFILETMP=/home/pctr/log/inotify.tmp
while inotifywait -q -e modify $LOGFILE;
do
  tail -10 /home/pctr/log/inotify.log > $LOGFILETMP
  kdialog --textbox $LOGFILETMP 1024 256
  tail -10 $LOGFILE | mail -s "[inotifywait alert] File Access Detected" pctresearch@pctresearch.com
done
</code>
:!: If you want to use the mail feature,  you must first install and configure ''**Postfix**''. 
=== Other kdialog ===
<code Bash>
$ sudo apt install kdialog
$ kdialog --error "File Access Detected"

$ kdialog --textbox inotifylog.txt 512 256
</code>
==== Registering in Syetem Service (inwatch.sh only)====
<code Bash>
$ cd /etc/systemd/system/
$ sudo touch file-access-detect.service
</code>
<code Bash>
[Unit]
Description=Detect Accessing to Files 
After=network.target
StartLimitIntervalSec=20
StartLimitBurst=3

[Service]
Type=simple
Restart=always
RestartSec=10
User=root
ExecStartPre=
ExecStart=/usr/local/bin/inwatch.sh
ExecStartPost=
ExecStop=
ExecReload=

[Install]
WantedBy=multi-user.target
</code>

<code Bash>
$ sudo systemctl daemon-reload
$ sudo systemctl enable file-access-detect.service
Created symlink /etc/systemd/system/graphical.target.wants/file-access-detect.service → /etc/systemd/system/file-access-detect.service.
$ sudo systemctl start file-access-detect.service
</code>
==== Registering Startup Application (ialert.sh only)====
=== Ubuntu ===
<code Bash>
$ cat ~/.config/autostart/ialert.sh.desktop
[Desktop Entry]
Type=Application
Exec=/usr/local/bin/ialert.sh &
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name[en_US]=ialert
Name=ialert
Comment[en_US]=Alert when ~/log/inotify.log is updated.
Comment=Alert when ~/log/inotify.log is updated.
</code>
=== Wsl ===
<code Bash>
$ cat /etc/wsl.conf
[boot]
# systemd support
systemd=true
command = "/usr/local/bin/ialert.sh &"

[user]
# User settings
default=pctr

[network]
# generate /etc/hosts
generateHosts = false
# generate /etc/resolv.conf
generateResolvConf = false
</code>



===== File Access Detection case by case =====
|location of files^access by^wsl(inotify)^windows(Everything)^
^inside of wsl|wsl|detect|NG|
^ |windows|detect|△ 1)|
^outside of wsl|wsl|NG|detect|
^ |windows|NG|detect|
:!: 1) when windows opened the file, windows make the *.link file which can be detected. But when windows modified it, Everything can't detect it.

===== Monitor Configure Files =====
You can easily monitor configure files using the [[manage_config_with_git|Manage Configuration Files with Git]] technique.
<code Bash>
$ git ls-tree -r master --name-only /home/pctr/
/home/pctr/.bash_logout
/home/pctr/.bashrc
/home/pctr/.emulator_console_auth_token
/home/pctr/.gitconfig
/home/pctr/.gitignore
/home/pctr/.pam_environment
/home/pctr/.profile
/home/pctr/.selected_editor
/home/pctr/.ssh/authorized_keys
/home/pctr/.ssh/id_rsa
/home/pctr/.ssh/id_rsa.pub
/home/pctr/.ssh/known_hosts
/home/pctr/.sudo_as_admin_successful
/home/pctr/.tmux.conf
/home/pctr/.vimrc
/home/pctr/.vscode/argv.json
/home/pctr/.wget-hsts
/home/pctr/.xinputrc


$ git ls-tree -r --name-only master /etc/
.gitconfig
.gitignore
.pwd.lock
.updated
adduser.conf
aliases
apache2/apache2.conf
apache2/conf-available/charset.conf
apache2/conf-available/javascript-common.conf
apache2/conf-available/localized-error-pages.conf
apache2/conf-available/other-vhosts-access-log.conf
apache2/conf-available/security.conf
apache2/conf-available/serve-cgi-bin.conf
apache2/conf-enabled/charset.conf
apache2/conf-enabled/localized-error-pages.conf
apache2/conf-enabled/other-vhosts-access-log.conf
apache2/conf-enabled/security.conf
apache2/conf-enabled/serve-cgi-bin.conf
apache2/envvars
apache2/ports.conf
apache2/sites-available/000-default.conf
apache2/sites-available/default-ssl.conf
apache2/sites-available/wweb.conf
apache2/sites-available/wweb_ssl.conf
apache2/sites-enabled/wweb.conf
apache2/sites-enabled/wweb_ssl.conf
apg.conf
brltty.conf
ca-certificates.conf
cron.d/.placeholder
cron.d/anacron
...
dovecot/conf.d/10-ssl.conf
dovecot/dovecot.conf
...
host.conf
hostname
hosts
hosts.allow
hosts.deny
...
pam.conf
pam.d/atd
...
postfix/main.cf
...
samba/smb.conf
samba/smbshared.conf
...
ssh/ssh_config
ssh/ssh_host_rsa_key
ssh/ssh_host_rsa_key.pub
ssh/sshd_config
...
timeshift/default.json
timeshift/timeshift.json
...
ufw/applications.d/apache2-utils.ufw.profile
ufw/applications.d/cups
ufw/applications.d/dovecot-imapd
ufw/applications.d/dovecot-pop3d
ufw/applications.d/openssh-server
ufw/applications.d/postfix
ufw/applications.d/samba
ufw/sysctl.conf
ufw/ufw.conf
...
</code>
So, inotify.list should be :
<code Bash>
$ cat /usr/local/bin/inotify.list
/home/wweb/www/html/dokuwiki
@/home/wweb/www/html/dokuwiki/data/pages/.git
@/home/wweb/www/html/dokuwiki/data/locks
@/home/wweb/www/html/dokuwiki/data/cache
@/home/wweb/www/html/dokuwiki/data/index
@/home/wweb/www/html/dokuwiki/data/meta
/home/pctr/.bash_logout
/home/pctr/.bashrc
/home/pctr/.emulator_console_auth_token
/home/pctr/.gitconfig
/home/pctr/.gitignore
/home/pctr/.pam_environment
/home/pctr/.profile
/home/pctr/.selected_editor
/home/pctr/.ssh/authorized_keys
/home/pctr/.ssh/id_rsa
/home/pctr/.ssh/id_rsa.pub
/home/pctr/.ssh/known_hosts
/home/pctr/.sudo_as_admin_successful
/home/pctr/.tmux.conf
/home/pctr/.vimrc
/home/pctr/.vscode/argv.json
/home/pctr/.wget-hsts
/home/pctr/.xinputrc
/etc/.gitconfig
/etc/.gitignore
/etc/.pwd.lock
/etc/.updated
/etc/adduser.conf
/etc/aliases
/etc/apache2/apache2.conf
/etc/apache2/conf-available/charset.conf
/etc/apache2/conf-available/javascript-common.conf
/etc/apache2/conf-available/localized-error-pages.conf
/etc/apache2/conf-available/other-vhosts-access-log.conf
/etc/apache2/conf-available/security.conf
/etc/apache2/conf-available/serve-cgi-bin.conf
/etc/apache2/conf-enabled/charset.conf
/etc/apache2/conf-enabled/localized-error-pages.conf
/etc/apache2/conf-enabled/other-vhosts-access-log.conf
/etc/apache2/conf-enabled/security.conf
/etc/apache2/conf-enabled/serve-cgi-bin.conf
/etc/apache2/envvars
/etc/apache2/ports.conf
/etc/apache2/sites-available/000-default.conf
/etc/apache2/sites-available/default-ssl.conf
/etc/apache2/sites-available/wweb.conf
/etc/apache2/sites-available/wweb_ssl.conf
/etc/apache2/sites-enabled/wweb.conf
/etc/apache2/sites-enabled/wweb_ssl.conf
/etc/apg.conf
/etc/brltty.conf
/etc/ca-certificates.conf
/etc/cron.d/.placeholder
/etc/cron.d/anacron
...
</code>
:!: Path in inotify.list should be full pathname.

:!: If inotify.list contains non-existent files or directories, the service will fail.