Tracking all file changes in a unix hostOutput the changes to a log fileTransactional UNIX shell for file system changesIgnore file changesmonitor file permission changestracking directory permission changespendrivelinux install on usb stick - only uses 5.8GB of a 14.7GB usb stickMonitoring folder for file changesChanges made with chattr are not detected by auditdFastest way to locate any files/dirs with different ACLs than parent? (FreeBSD)Local Python Repository Packet Installation
Im going to France and my passport expires June 19th
What is the most common color to indicate the input-field is disabled?
How do I know where to place holes on an instrument?
Is it possible to create a QR code using text?
Why can't we play rap on piano?
Is it inappropriate for a student to attend their mentor's dissertation defense?
A category-like structure without composition?
How do conventional missiles fly?
What method can I use to design a dungeon difficult enough that the PCs can't make it through without killing them?
Why is consensus so controversial in Britain?
Solving a recurrence relation (poker chips)
ssTTsSTtRrriinInnnnNNNIiinngg
CAST throwing error when run in stored procedure but not when run as raw query
Forgetting the musical notes while performing in concert
Why are the 737's rear doors unusable in a water landing?
How to prevent "they're falling in love" trope
Should I tell management that I intend to leave due to bad software development practices?
What killed these X2 caps?
Why would the Red Woman birth a shadow if she worshipped the Lord of the Light?
What does “the session was packed” mean in this context?
Mathematica command that allows it to read my intentions
What do you call someone who asks many questions?
Why no variance term in Bayesian logistic regression?
Is the myth that if you can play one instrument, you can learn another instrument with ease true?
Tracking all file changes in a unix host
Output the changes to a log fileTransactional UNIX shell for file system changesIgnore file changesmonitor file permission changestracking directory permission changespendrivelinux install on usb stick - only uses 5.8GB of a 14.7GB usb stickMonitoring folder for file changesChanges made with chattr are not detected by auditdFastest way to locate any files/dirs with different ACLs than parent? (FreeBSD)Local Python Repository Packet Installation
I'm evaluating a tool and I need to identify all files (including system config files) added, changed or removed by this application (it is installed using pip).
After installing on a external host, I'll track all the changes to bring the application to a different with the help of those tracked changes.
Note that I'm not looking for application or install logs, I'm looking for the changes made by this install and its application.
This can also be an useful scenario to audit the impact of any application being evaluated.
One possible solution is using fswatch (https://www.ostechnix.com/monitor-file-changes-using-fswatch-linux/), but it is not able to monitor the root directory.
A good decade ago, there was a tool for Windows called Norton CleanSweep (https://en.wikipedia.org/wiki/Norton_CleanSweep), that monitored a install app and tracked all files and registry entries added by this install to allow full deletion of this tracked install. That's exactly what I'm looking for, but for a unix box (Debian distros based would be the perfect one)
Any ideas on what can be used to track all changes in a unix host?
linux filesystems system-installation utilities audit
asked Mar 15 at 13:30
Rafael BorjaRafael Borja
1317
add a comment |
I'm evaluating a tool and I need to identify all files (including system config files) added, changed or removed by this application (it is installed using pip).
After installing on a external host, I'll track all the changes to bring the application to a different with the help of those tracked changes.
Note that I'm not looking for application or install logs, I'm looking for the changes made by this install and its application.
This can also be an useful scenario to audit the impact of any application being evaluated.
One possible solution is using fswatch (https://www.ostechnix.com/monitor-file-changes-using-fswatch-linux/), but it is not able to monitor the root directory.
A good decade ago, there was a tool for Windows called Norton CleanSweep (https://en.wikipedia.org/wiki/Norton_CleanSweep), that monitored a install app and tracked all files and registry entries added by this install to allow full deletion of this tracked install. That's exactly what I'm looking for, but for a unix box (Debian distros based would be the perfect one)
Any ideas on what can be used to track all changes in a unix host?
linux filesystems system-installation utilities audit
asked Mar 15 at 13:30
Rafael BorjaRafael Borja
1317
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35
add a comment |
I'm evaluating a tool and I need to identify all files (including system config files) added, changed or removed by this application (it is installed using pip).
After installing on a external host, I'll track all the changes to bring the application to a different with the help of those tracked changes.
Note that I'm not looking for application or install logs, I'm looking for the changes made by this install and its application.
This can also be an useful scenario to audit the impact of any application being evaluated.
One possible solution is using fswatch (https://www.ostechnix.com/monitor-file-changes-using-fswatch-linux/), but it is not able to monitor the root directory.
A good decade ago, there was a tool for Windows called Norton CleanSweep (https://en.wikipedia.org/wiki/Norton_CleanSweep), that monitored a install app and tracked all files and registry entries added by this install to allow full deletion of this tracked install. That's exactly what I'm looking for, but for a unix box (Debian distros based would be the perfect one)
Any ideas on what can be used to track all changes in a unix host?
linux filesystems system-installation utilities audit
asked Mar 15 at 13:30
Rafael BorjaRafael Borja
1317
I'm evaluating a tool and I need to identify all files (including system config files) added, changed or removed by this application (it is installed using pip).
After installing on a external host, I'll track all the changes to bring the application to a different with the help of those tracked changes.
Note that I'm not looking for application or install logs, I'm looking for the changes made by this install and its application.
This can also be an useful scenario to audit the impact of any application being evaluated.
One possible solution is using fswatch (https://www.ostechnix.com/monitor-file-changes-using-fswatch-linux/), but it is not able to monitor the root directory.
A good decade ago, there was a tool for Windows called Norton CleanSweep (https://en.wikipedia.org/wiki/Norton_CleanSweep), that monitored a install app and tracked all files and registry entries added by this install to allow full deletion of this tracked install. That's exactly what I'm looking for, but for a unix box (Debian distros based would be the perfect one)
Any ideas on what can be used to track all changes in a unix host?
linux filesystems system-installation utilities audit
linux filesystems system-installation utilities audit
asked Mar 15 at 13:30
Rafael BorjaRafael Borja
1317
asked Mar 15 at 13:30
Rafael BorjaRafael Borja
1317
edited 2 days ago
Rafael Borja
asked Mar 15 at 13:30
Rafael BorjaRafael Borja
1317
asked Mar 15 at 13:30
Rafael BorjaRafael Borja
1317
asked Mar 15 at 13:30
Rafael BorjaRafael Borja
1317
1317
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35
add a comment |
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35
add a comment |
1 Answer
1
active
oldest
votes
Since fswatch could not handle the amount of operations properly when root directory is provided, inotifywait (https://linux.die.net/man/1/inotifywait) can be used.
It wait for changes to files using inotify. The following command can be used:
sudo inotifywait -m -r --exclude "(/tmp.*|/var/cache.*|/dev/pts/|/var/log.*)" -e MOVED_TO -e CREATE -e CLOSE_WRITE -e DELETE -e MODIFY -o /tmp/my_tracked_install_files /
Where
- -m: Uses monitoring mode
- -r: recursive path
- --exclude uses a regex to not watch events on some directories (temp, log directories, and /dev/pts due to the amount of unnecessary changes on those directories)
- -e MOVED_TO, CREATE, CLOSE_WRITE, DELETE, and MODIFY: The only events we are interested on (inotifywait captures all kind of filesystem events, including listing)
- -o: output file
Please not that inotifywait does not capture nfs files written from other hosts.
It is very likely that you must increase the number of inotifywatches (as described in (https://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux)
cat /proc/sys/fs/inotify/max_user_watches # default is 8192
sudo sysctl fs.inotify.max_user_watches=1048576 # increase to 1048576
answered Mar 15 at 17:36
Rafael BorjaRafael Borja
1317
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506516%2ftracking-all-file-changes-in-a-unix-host%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Since fswatch could not handle the amount of operations properly when root directory is provided, inotifywait (https://linux.die.net/man/1/inotifywait) can be used.
It wait for changes to files using inotify. The following command can be used:
sudo inotifywait -m -r --exclude "(/tmp.*|/var/cache.*|/dev/pts/|/var/log.*)" -e MOVED_TO -e CREATE -e CLOSE_WRITE -e DELETE -e MODIFY -o /tmp/my_tracked_install_files /
Where
- -m: Uses monitoring mode
- -r: recursive path
- --exclude uses a regex to not watch events on some directories (temp, log directories, and /dev/pts due to the amount of unnecessary changes on those directories)
- -e MOVED_TO, CREATE, CLOSE_WRITE, DELETE, and MODIFY: The only events we are interested on (inotifywait captures all kind of filesystem events, including listing)
- -o: output file
Please not that inotifywait does not capture nfs files written from other hosts.
It is very likely that you must increase the number of inotifywatches (as described in (https://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux)
cat /proc/sys/fs/inotify/max_user_watches # default is 8192
sudo sysctl fs.inotify.max_user_watches=1048576 # increase to 1048576
answered Mar 15 at 17:36
Rafael BorjaRafael Borja
1317
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
add a comment |
Since fswatch could not handle the amount of operations properly when root directory is provided, inotifywait (https://linux.die.net/man/1/inotifywait) can be used.
It wait for changes to files using inotify. The following command can be used:
sudo inotifywait -m -r --exclude "(/tmp.*|/var/cache.*|/dev/pts/|/var/log.*)" -e MOVED_TO -e CREATE -e CLOSE_WRITE -e DELETE -e MODIFY -o /tmp/my_tracked_install_files /
Where
- -m: Uses monitoring mode
- -r: recursive path
- --exclude uses a regex to not watch events on some directories (temp, log directories, and /dev/pts due to the amount of unnecessary changes on those directories)
- -e MOVED_TO, CREATE, CLOSE_WRITE, DELETE, and MODIFY: The only events we are interested on (inotifywait captures all kind of filesystem events, including listing)
- -o: output file
Please not that inotifywait does not capture nfs files written from other hosts.
It is very likely that you must increase the number of inotifywatches (as described in (https://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux)
cat /proc/sys/fs/inotify/max_user_watches # default is 8192
sudo sysctl fs.inotify.max_user_watches=1048576 # increase to 1048576
answered Mar 15 at 17:36
Rafael BorjaRafael Borja
1317
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
add a comment |
Since fswatch could not handle the amount of operations properly when root directory is provided, inotifywait (https://linux.die.net/man/1/inotifywait) can be used.
It wait for changes to files using inotify. The following command can be used:
sudo inotifywait -m -r --exclude "(/tmp.*|/var/cache.*|/dev/pts/|/var/log.*)" -e MOVED_TO -e CREATE -e CLOSE_WRITE -e DELETE -e MODIFY -o /tmp/my_tracked_install_files /
Where
- -m: Uses monitoring mode
- -r: recursive path
- --exclude uses a regex to not watch events on some directories (temp, log directories, and /dev/pts due to the amount of unnecessary changes on those directories)
- -e MOVED_TO, CREATE, CLOSE_WRITE, DELETE, and MODIFY: The only events we are interested on (inotifywait captures all kind of filesystem events, including listing)
- -o: output file
Please not that inotifywait does not capture nfs files written from other hosts.
It is very likely that you must increase the number of inotifywatches (as described in (https://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux)
cat /proc/sys/fs/inotify/max_user_watches # default is 8192
sudo sysctl fs.inotify.max_user_watches=1048576 # increase to 1048576
answered Mar 15 at 17:36
Rafael BorjaRafael Borja
1317
Since fswatch could not handle the amount of operations properly when root directory is provided, inotifywait (https://linux.die.net/man/1/inotifywait) can be used.
It wait for changes to files using inotify. The following command can be used:
sudo inotifywait -m -r --exclude "(/tmp.*|/var/cache.*|/dev/pts/|/var/log.*)" -e MOVED_TO -e CREATE -e CLOSE_WRITE -e DELETE -e MODIFY -o /tmp/my_tracked_install_files /
Where
- -m: Uses monitoring mode
- -r: recursive path
- --exclude uses a regex to not watch events on some directories (temp, log directories, and /dev/pts due to the amount of unnecessary changes on those directories)
- -e MOVED_TO, CREATE, CLOSE_WRITE, DELETE, and MODIFY: The only events we are interested on (inotifywait captures all kind of filesystem events, including listing)
- -o: output file
Please not that inotifywait does not capture nfs files written from other hosts.
It is very likely that you must increase the number of inotifywatches (as described in (https://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux)
cat /proc/sys/fs/inotify/max_user_watches # default is 8192
sudo sysctl fs.inotify.max_user_watches=1048576 # increase to 1048576
answered Mar 15 at 17:36
Rafael BorjaRafael Borja
1317
edited Mar 15 at 18:03
answered Mar 15 at 17:36
Rafael BorjaRafael Borja
1317
answered Mar 15 at 17:36
Rafael BorjaRafael Borja
1317
answered Mar 15 at 17:36
Rafael BorjaRafael Borja
1317
1317
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
add a comment |
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
1
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506516%2ftracking-all-file-changes-in-a-unix-host%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35