file_access_monitor
Table of Contents
File Access Monitor
install inotify-tools
$ sudo apt install inotify-tools
The inotifywait utility can be used to wait and react to filesystem events.
$ inotifywait work/aaa.txt Setting up watches. Watches established. work/aaa.txt OPEN
Use -r (--recursive) option to include subdirectories
$ inotifywait -r /home/wweb/www/html/dokuwiki Setting up watches. Beware: since -r was given, this may take a while! Watches established. /home/wweb/www/html/dokuwiki/data/pages/ OPEN zip.txt
| -m, –monitor | Instead of exiting after receiving a single event, execute indefinitely. The default behaviour is to exit after the first event occurs. |
|---|
$ inotifywait -m -r /home/wweb/www/html/dokuwiki
| -d, –daemon | Same as –monitor, except run in the background logging events to a file that must be specified by –outfile. Implies –syslog. |
|---|
$ inotifywait -d -o <log_filename> -r /home/wweb/www/html/dokuwiki
<log_filename> must be an existing file.
| –timefmt <fmt> | Set a time format string as accepted by strftime(3) |
|---|
$ inotifywait -d --timefmt "%a, %d %b %Y %T %z" --format "%T %w %f %e" -o ~/log/inotifylog.txt -r /home/wweb/www/html/dokuwiki $ inotifywait -d --timefmt "%a, %d %b %Y %T %z" --format "%T %w %f %e" -o ~/log/inotifylog_IIS.txt -r /mnt/e/inetpub/wwwroot/dokuwiki
Don't work on NTFS even by WSL.
Keep Detect Files' Access by inotifywait
$ cat /usr/local/bin/inwatch.sh #!/usr/bin/env bash mkdir -p /home/pctr/log LOGFILE=/home/pctr/log/inotify.log echo "start inotifywait. Watching.." >> $LOGFILE inotifywait -m --timefmt "%a, %d %b %Y %T %z" --format "%T %w %f %e" -e modify -e close_write -e moved_to -e moved_from -e move -e move_self -e create -e delete -e delete_self -e unmount -o $LOGFILE -r --fromfile /usr/local/bin/inotify.list
We will then register this shell program as a system service. So the -m option is better.
$ cat /usr/local/bin/inotify.list /home/wweb/www/html/dokuwiki @/home/wweb/www/html/dokuwiki/data/pages/.git @/home/wweb/www/html/dokuwiki/data/locks @/home/wweb/www/html/dokuwiki/data/cache @/home/wweb/www/html/dokuwiki/data/index @/home/wweb/www/html/dokuwiki/data/meta
| @<file> | When watching a directory tree recursively, exclude the specified file from being watched. The file must be specified with a relative or absolute path according to whether a relative or absolute path is given fo watched directories. |
|---|---|
| –fromfile <file> | Read filenames to watch or exclude from a file, one filename per line. If filenames begin with @ they are excluded as described above. |
Alert When Files' Access Detected
$ cat /usr/local/bin/ialert.sh #!/usr/bin/env bash mkdir -p /home/pctr/log LOGFILE=/home/pctr/log/inotify.log LOGFILETMP=/home/pctr/log/inotify.tmp while inotifywait -q -e modify $LOGFILE; do tail -10 /home/pctr/log/inotify.log > $LOGFILETMP kdialog --textbox $LOGFILETMP 1024 256 tail -10 $LOGFILE | mail -s "[inotifywait alert] File Access Detected" pctresearch@pctresearch.com done
If you want to use the mail feature, you must first install and configure Postfix.
Other kdialog
$ sudo apt install kdialog $ kdialog --error "File Access Detected" $ kdialog --textbox inotifylog.txt 512 256
Registering in Syetem Service (inwatch.sh only)
$ cd /etc/systemd/system/ $ sudo touch file-access-detect.service
[Unit] Description=Detect Accessing to Files After=network.target StartLimitIntervalSec=20 StartLimitBurst=3 [Service] Type=simple Restart=always RestartSec=10 User=root ExecStartPre= ExecStart=/usr/local/bin/inwatch.sh ExecStartPost= ExecStop= ExecReload= [Install] WantedBy=multi-user.target
$ sudo systemctl daemon-reload $ sudo systemctl enable file-access-detect.service Created symlink /etc/systemd/system/graphical.target.wants/file-access-detect.service → /etc/systemd/system/file-access-detect.service. $ sudo systemctl start file-access-detect.service
Registering Startup Application (ialert.sh only)
Ubuntu
$ cat ~/.config/autostart/ialert.sh.desktop [Desktop Entry] Type=Application Exec=/usr/local/bin/ialert.sh & Hidden=false NoDisplay=false X-GNOME-Autostart-enabled=true Name[en_US]=ialert Name=ialert Comment[en_US]=Alert when ~/log/inotify.log is updated. Comment=Alert when ~/log/inotify.log is updated.
Wsl
$ cat /etc/wsl.conf [boot] # systemd support systemd=true command = "/usr/local/bin/ialert.sh &" [user] # User settings default=pctr [network] # generate /etc/hosts generateHosts = false # generate /etc/resolv.conf generateResolvConf = false
File Access Detection case by case
| location of files | access by | wsl(inotify) | windows(Everything) |
|---|---|---|---|
| inside of wsl | wsl | detect | NG |
| windows | detect | △ 1) | |
| outside of wsl | wsl | NG | detect |
| windows | NG | detect |
1) when windows opened the file, windows make the *.link file which can be detected. But when windows modified it, Everything can't detect it.
Monitor Configure Files
You can easily monitor configure files using the Manage Configuration Files with Git technique.
$ git ls-tree -r master --name-only /home/pctr/ /home/pctr/.bash_logout /home/pctr/.bashrc /home/pctr/.emulator_console_auth_token /home/pctr/.gitconfig /home/pctr/.gitignore /home/pctr/.pam_environment /home/pctr/.profile /home/pctr/.selected_editor /home/pctr/.ssh/authorized_keys /home/pctr/.ssh/id_rsa /home/pctr/.ssh/id_rsa.pub /home/pctr/.ssh/known_hosts /home/pctr/.sudo_as_admin_successful /home/pctr/.tmux.conf /home/pctr/.vimrc /home/pctr/.vscode/argv.json /home/pctr/.wget-hsts /home/pctr/.xinputrc $ git ls-tree -r --name-only master /etc/ .gitconfig .gitignore .pwd.lock .updated adduser.conf aliases apache2/apache2.conf apache2/conf-available/charset.conf apache2/conf-available/javascript-common.conf apache2/conf-available/localized-error-pages.conf apache2/conf-available/other-vhosts-access-log.conf apache2/conf-available/security.conf apache2/conf-available/serve-cgi-bin.conf apache2/conf-enabled/charset.conf apache2/conf-enabled/localized-error-pages.conf apache2/conf-enabled/other-vhosts-access-log.conf apache2/conf-enabled/security.conf apache2/conf-enabled/serve-cgi-bin.conf apache2/envvars apache2/ports.conf apache2/sites-available/000-default.conf apache2/sites-available/default-ssl.conf apache2/sites-available/wweb.conf apache2/sites-available/wweb_ssl.conf apache2/sites-enabled/wweb.conf apache2/sites-enabled/wweb_ssl.conf apg.conf brltty.conf ca-certificates.conf cron.d/.placeholder cron.d/anacron ... dovecot/conf.d/10-ssl.conf dovecot/dovecot.conf ... host.conf hostname hosts hosts.allow hosts.deny ... pam.conf pam.d/atd ... postfix/main.cf ... samba/smb.conf samba/smbshared.conf ... ssh/ssh_config ssh/ssh_host_rsa_key ssh/ssh_host_rsa_key.pub ssh/sshd_config ... timeshift/default.json timeshift/timeshift.json ... ufw/applications.d/apache2-utils.ufw.profile ufw/applications.d/cups ufw/applications.d/dovecot-imapd ufw/applications.d/dovecot-pop3d ufw/applications.d/openssh-server ufw/applications.d/postfix ufw/applications.d/samba ufw/sysctl.conf ufw/ufw.conf ...
So, inotify.list should be :
$ cat /usr/local/bin/inotify.list /home/wweb/www/html/dokuwiki @/home/wweb/www/html/dokuwiki/data/pages/.git @/home/wweb/www/html/dokuwiki/data/locks @/home/wweb/www/html/dokuwiki/data/cache @/home/wweb/www/html/dokuwiki/data/index @/home/wweb/www/html/dokuwiki/data/meta /home/pctr/.bash_logout /home/pctr/.bashrc /home/pctr/.emulator_console_auth_token /home/pctr/.gitconfig /home/pctr/.gitignore /home/pctr/.pam_environment /home/pctr/.profile /home/pctr/.selected_editor /home/pctr/.ssh/authorized_keys /home/pctr/.ssh/id_rsa /home/pctr/.ssh/id_rsa.pub /home/pctr/.ssh/known_hosts /home/pctr/.sudo_as_admin_successful /home/pctr/.tmux.conf /home/pctr/.vimrc /home/pctr/.vscode/argv.json /home/pctr/.wget-hsts /home/pctr/.xinputrc /etc/.gitconfig /etc/.gitignore /etc/.pwd.lock /etc/.updated /etc/adduser.conf /etc/aliases /etc/apache2/apache2.conf /etc/apache2/conf-available/charset.conf /etc/apache2/conf-available/javascript-common.conf /etc/apache2/conf-available/localized-error-pages.conf /etc/apache2/conf-available/other-vhosts-access-log.conf /etc/apache2/conf-available/security.conf /etc/apache2/conf-available/serve-cgi-bin.conf /etc/apache2/conf-enabled/charset.conf /etc/apache2/conf-enabled/localized-error-pages.conf /etc/apache2/conf-enabled/other-vhosts-access-log.conf /etc/apache2/conf-enabled/security.conf /etc/apache2/conf-enabled/serve-cgi-bin.conf /etc/apache2/envvars /etc/apache2/ports.conf /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/wweb.conf /etc/apache2/sites-available/wweb_ssl.conf /etc/apache2/sites-enabled/wweb.conf /etc/apache2/sites-enabled/wweb_ssl.conf /etc/apg.conf /etc/brltty.conf /etc/ca-certificates.conf /etc/cron.d/.placeholder /etc/cron.d/anacron ...
Path in inotify.list should be full pathname.
If inotify.list contains non-existent files or directories, the service will fail.
file_access_monitor.txt · Last modified: 2025/03/16 11:06 by 127.0.0.1