stackoom
  简体   繁体   中英

How can I know which files were modified by a specific process in linux machines?

 原文  2015-10-21 11:24:19       linux

Question

I need to get list of all modified files on my linux machines (AIX, Solaris, Red Hat, CentOS, HP-UX) in a specific time range (similar to proc mon or forfiles in Windows)

I tried to use find command. But since it didn't search per specific PID I got too many results. I wanted to narrow down the results by looking for files that were modified by specific process. I used the lsof command for specific PID. but I got list of files that were accessed, which wasn't helpful for me, because I could not know if the process changed them. I tried the strace command for specific PID, but the output was to hard to work with (too much irrelevant info, and I need it for 24 hours time range)

I kind of got to a dead end. Any ideas? (In short - I want to get list of all modified files by a specific process in a specific time range)

2 answers

solution1
 0  2015-10-21 12:36:07

Linux does not maintain a log of a record, of any kind, of which files were modified by which process.

The only logged information is each file's last modification timestamp. And even that can be arbitrarily adjusted by any process, which has appropriate privileges, to be ten years in the future, for example.

The short answer is that the information you're looking for does not exist.

solution2
 0  2015-10-21 15:14:54

The closest what I know of for your usecase is SELinux. This will only work if SELinux is enabled on your Operating System.

SELinux is capable of logging a bunch of information along with uid, gid, and PIDs ( exactly what you need ) for different operations.

For more details look at:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How does my Linux C process know how many files were opened on the command line? How to get files modified by certain process in Linux How to know which process is changing a file in linux How can I know which process is using swap? How do I locate files which were modified within the last 10 days but and NOT in a “CVS”, “build” or “classes” folder on a bash terminal? How not to process files which were already processed before? (they will not be zipped or renamed) How can I identify which process is making UDP traffic on Linux? Linux: how to know which process (or program) is sending data to a local port? How can I know which interrupt line is shared or not, and which interrupt line is free in Linux? Linux - how can I tar only directories that contain specific files?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM