Andries filmer

Feel free with Open Source Software

Andries Filmer - Internet professional sinds 1996.
Ik ben groot voorstander van Free- en Opensource Software (FOSS) en laat deze site jouw overtuigen waarom dit goed is.
Home Over deze website Kennisbank Ezelsoren Freelancer Online gereedschap

Monitoring file system events with inotify, incron and authctl

  1. inotify
    1. Install inotify
    2. Log a project directory
    3. Backup files
  2. incron
    1. Install incron
    2. Create your backups
  3. Audit
    1. Install auditd
    2. auditctl
    3. ausearch

There are a lot of tools to monitor a filesytem. This time we take a quick look at inotify, incron and auditctl.


The inotify API provides a mechanism for monitoring file system events. Inotify can be used to monitor individual files, or to monitor directories. When a directory is monitored, inotify will return events for the directory itself, and for files inside the directory.

You can combine command's with a pipe so this can be very powerfull (as usually with gnu/linux).

Install inotify

 apt-get install inotify-tools

Log a project directory

Log the /home/andries/myProject directory after being opened in writeable mode

 inotifywait -mrq --format '%w%f' -e close_write /home/andries/myProject | while read file;do echo $file >> /var/log/inotify; done &

  • Option '-m' : Use for execute indefinitely. Instead of exiting after receiving a single event.
  • Option '-r' : Watch all subdirectories of any directories passed as arguments.
  • Option '-q' : The program will be less verbose.
  • Option --format '%w%f' : Echo the full path instead of the file only (default).

Backup files

It can be very usefull to make a automatic backup for each file in a directory with a timestamp.

 mkdir /var/backups/inotify

A example to backup all /etc/ files.

 inotifywait -mrq --format '%w%f' -e close_write /etc | while read file;do \
    cp --parents $file /var/backups/inotify;mv /var/backups/inotify$file \ 
    /var/backups/inotify$file-`date +'%Y-%m-%d_%H:%M'`; done &

  • Option cp --parents use full source file name under DIRECTORY
  • Command mv moves the $file to the $file with a date-stamp date +'%Y-%m-%d_%H:%M.


If you want some monitoring, backup events permanent then incron is very useful.

The inotify cron daemon (incrond) is a daemon which monitors filesystem events and executes commands defined in system and user tables. It's use is generally similar to cron(8).

Install incron

 apt-get install incron

Create your backups

As a example I have made a small script to backup all files in the etc and myProject directory.

 vi /root/

 # Create a inotify backup dir (if not exists)
 mkdir /var/backups/inotify
 # Make a copy off the full path and file
 cp -p --parents $1  /var/backups/inotify
 # move the file to a file with datetime-stamp
 mv /var/backups/inotify$1 /var/backups/inotify$1_`date +'%Y-%m-%d_%H:%M'

Make the file executable for root

 chmod 755 /root/


 incrontab -e

 /etc IN_CLOSE_WRITE,IN_MODIFY /root/ $@/$# 
 /home/andries/myProject IN_CLOSE_WRITE /root/ $@/$# 

As you can see you can do many more ;)


Auditctl is a utility to assist controlling the system. It is a other approach to monitor the filesystem. This can be useful if there are more people with root access or there are some problems with the system.

Install auditd

 apt-get install auditd

Now the audit daemon is running


You can add rules for logging.

We like to audit the /etc/passwd file. Type command as follows:

 auditctl -w /etc/passwd -p war -k passwd-file

  • -w /etc/passwd : Watch the file system object
  • -p war : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append.
  • -k passwd-file : Set a filter key on the watch.

Syscall audit rule

The next rule suppresses auditing for mount syscall exits

 auditctl -a exit,never -S mount

syscall audit rule using pid

See syscalls made by a program sshd (i.o. pid 702)

 auditctl -a entry,always -S all -F pid=702


With ausearch you can read the rules made by auditctl.

 ausearch -f /etc/passwd

Other useful examples

Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00.

 ausearch -ts today -k password-file
 ausearch -ts 3/12/07 -k password-file

Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command:

 ausearch -ts today -k password-file -x rm
 ausearch -ts 3/12/07 -k password-file -x rm

Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open /etc/passwd:

 ausearch -ts today -k password-file -x rm -ui 506
 ausearch -k password-file -ui 506

This page is created on 2010-05-30 and updated on 2010-05-31

I appreciate if you give some comment about this page. Please go ahead.
Your e-mailaddress will not be published it is only to contact you (if needed).

Your name
Your e-mailaddress
To prefent robots to use this form I ask you kindly to type the next characters in the input field.
Jouw Gravatar Commentaar van Krishan geplaatst op 2013-05-07
Will you please give me a method for audit 'mkdir'
Jouw Gravatar Commentaar van Krishan geplaatst op 2013-05-07
Will you please give me a method for audit 'mkdir'


Mijn Curriculum vitae | De content op deze website heeft de Creativecommons 3.0 licentie | © 2013
Andries Filmer | | | © 2011
Deze website wordt gerealiseerd met Free- en Open Source Software: | | | | | |