I am using pyinotify to detect access, changes, etc. on files in a given directory. Is there an easier way to find out which process was responsible for that - without having to patch inotify?
Asked
Active
Viewed 752 times
3
-
1http://serverfault.com/questions/320716/find-out-which-process-is-changing-a-file – aliep Oct 27 '13 at 11:19
2 Answers
1
No, you can't, that information isn't in the struct inotify_event sent by the kernel.
Actually there isn't any guarantee that the process responsible is still running when you get the event.
tonfa
- 24,151
- 2
- 35
- 41
1
Assuming you are on Linux (pyinotify would tend to indicate this) you could use SELinux (running in permissive mode of course) to wrap a process(es) and log all their file access/creation/deletion/etc.