文件变更的各种方法踩坑"/>
在Linux上面监视文件变更的各种方法踩坑
遇到一个需求,监视整个系统的所有文件变更,整理出文件列表以便进行其他分析。于是找了一些apt仓库里的开源软件,挨个试了试。(测试机的系统是Deepin)
1. fileschanged
安装:
apt install -y fileschanged
参数很简单
fileschanged -r /home/gaory/tmp
这就可以了。
但是用在根目录上面会卡死。。。
fileschanged -r /
2. inotifywatch
安装:
apt install -y inotify-tools
也很简单。
$ inotifywait -mr -e modify -e create /home/gaory/tmp/
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
/home/gaory/tmp/test/ CREATE b
/home/gaory/tmp/test/ CREATE x
但是让它去监视根目录,直接报错了:
$ inotifywait -mr -e modify -e create --exclude /proc --exclude /sys /
Setting up watches. Beware: since -r was given, this may take a while!
Failed to watch /; upper limit on inotify watches reached!
Please increase the amount of inotify watches allowed per user via `/proc/sys/fs/inotify/max_user_watches'.
因为根目录下面的文件非常多,这里去调整max_user_watches也不现实,没必要了。
3. incron
安装:
apt install -y incron
直接让它监视根目录试试。创建文件/etc/incron.d/test,内容如下:
/ IN_CREATE,IN_MODIFY /bin/echo $# > /tmp/a.log
启动:
systemctl start incronroot@newbook:/etc/incron.d# systemctl status incron
● incron.service - file system events schedulerLoaded: loaded (/lib/systemd/system/incron.service; enabled; vendor preset: enabled)Active: active (running) since Tue 2022-05-24 14:26:11 CST; 33s agoDocs: man:incrond(8)Process: 11585 ExecStart=/usr/sbin/incrond (code=exited, status=0/SUCCESS)Main PID: 11586 (incrond)Tasks: 3875 (limit: 4915)Memory: 1.8GCGroup: /system.slice/incron.service├─11586 /usr/sbin/incrond├─11690 /usr/sbin/incrond├─11691 /usr/sbin/incrond├─11693 /usr/sbin/incrond├─11696 /usr/sbin/incrond├─11700 /usr/sbin/incrond├─11702 /usr/sbin/incrond├─11705 /usr/sbin/incrond├─11707 /usr/sbin/incrond├─11708 /usr/sbin/incrond├─11709 /usr/sbin/incrond
样子很奇怪,运行了很多子进程,而且明显感觉系统卡顿了。看了看进程数:
# ps -ef | grep incrond | wc4917 39337 324509
这么多。赶紧停掉,免得卡死!停的时候还报了个错:
# systemctl stop incron
Failed to add /run/systemd/ask-password to directory watch: inotify watch limit reached
看来跟inotifywait原理是差不多的。
4. auditctl
最后到来的是audit。这是一个Linux审计工具,里面包含对文件操作的系统调用的监视。
安装:
apt install -y auditd
监视一个小目录试试:
auditctl -w /home/gaory/tmp -p wa
# tail -f /var/log/audit/audit.log | grep /home/gaory/tmp
type=CWD msg=audit(1653374238.163:608432): cwd="/home/gaory/tmp/test"
type=PATH msg=audit(1653374238.163:608432): item=0 name="/home/gaory/tmp/test" inode=21775172 dev=103:0a mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=staff_u:object_r:unlabeled_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
可以用,输出稍显繁琐。
然而,它不能直接用在根目录上!
You cannot insert a watch to the top level directory. This is prohibited by the kernel. Wildcards are not supported either and will generate a warning.
我只能说,先将就一下吧,把根目录下面的子目录列出来就行:
auditctl -w /home -p wa
auditctl -w /var -p wa
auditctl -w /opt -p wa
auditctl -w /usr -p wa
auditctl -w /mnt -p wa
这里留个悬念,audit的日志文件/var/log/audit/audit.log就在被监视的目录/var下,会不会陷入循环?
更多推荐
在Linux上面监视文件变更的各种方法踩坑
发布评论