Tutorial :Which process was responsible for an event signalled by inotify?



Question:

I am using pyinotify to detect access, changes, etc. on files in a given directory. Is there an easier way to find out which process was responsible for that - without having to patch inotify?


Solution:1

No, you can't, that information isn't in the struct inotify_event sent by the kernel.

Actually there isn't any guarantee that the process responsible is still running when you get the event.


Solution:2

Assuming you are on Linux (pyinotify would tend to indicate this) you could use SELinux (running in permissive mode of course) to wrap a process(es) and log all their file access/creation/deletion/etc.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »