File system activity in Linux refers to the various operations and events related to the management and manipulation of files and directories within the file system. This activity encompasses a range of operations performed on files and directories, such as reading, writing, creating, deleting, moving, and modifying their attributes. Monitoring file system activity is crucial for understanding how resources are utilized, identifying potential issues, and ensuring the integrity and security of data.

Monitoring file system activity in Linux can be done using various tools and commands that provide insights into file changes, access patterns, and disk usage. Here are several methods to monitor file system activity:

inotify-tools

inotify-tools is a set of command-line utilities that allows monitoring file system events. Install it using your package manager and use the inotifywait command.

   sudo apt-get install inotify-tools   # On Debian/Ubuntu
   sudo yum install inotify-tools       # On Red Hat/CentOS

inotifywait is a command-line tool that allows you to monitor file system events using the inotify kernel subsystem. It is part of the inotify-tools package.

Here’s a basic example of how to use inotifywait:

Basic Usage

inotifywait /path/to/directory

Replace /path/to/directory with the actual path you want to monitor. By default, this command will watch for all events (e.g., file creation, modification, deletion) in the specified directory.

Monitor Specific Events

You can specify the events you want to monitor. For example, to watch only for file creations and deletions:

inotifywait -e create,delete /path/to/directory

You can use a comma-separated list of events such as create, delete, modify, move, etc.

Recursive Monitoring

To monitor events in subdirectories as well, use the -r or --recursive option:

   inotifywait -r -e create,delete /path/to/directory

Running Continuously

By default, inotifywait exits after the first set of events is detected. To keep it running continuously, use the -m or --monitor option:

inotifywait -m /path/to/directory

Displaying Event Details

To display more information about the events, you can use the -v or --verbose option:

inotifywait -m -v /path/to/directory

This will provide additional details about the events, such as the name of the file involved.

Execute a Command on Event

You can execute a command whenever an event occurs by using the --format and --timefmt options along with the --exec option. For example, to print a message when a file is created:

   inotifywait -e create --format '%w%f' --timefmt '%H:%M:%S' --exec "echo File %f created at %T"

This command prints a message every time a file is created, indicating the file name and the time of the event.

inotifywait with Bash Script

Create a simple Bash script using inotifywait to monitor specific events in a directory.

#!/bin/bash
 dir_to_watch="/path/to/directory"

inotifywait -m -r -e create,delete,modify,move "$dir_to_watch"

Save this script, make it executable (chmod +x script.sh), and run it to monitor the specified directory.

Using auditd

auditd is the Linux audit daemon that allows you to monitor various system events, including file system activity. Here’s a step-by-step guide on how to use auditd to monitor file system events:

Install auditd

# On Debian/Ubuntu
sudo apt-get install auditd

# On Red Hat/CentOS
sudo yum install audit

Start and Enable the auditd Service

sudo systemctl start auditd
sudo systemctl enable auditd

Ensure that the auditd service is running and set to start at boot.

Configure auditd Rules

Create or modify the audit rules to monitor file system events. For example, to monitor a specific directory, create a rule in the /etc/audit/audit.rules file:

sudo nano /etc/audit/audit.rules

Add the following line to monitor events in a specific directory (replace /path/to/directory with the actual path):

-w /path/to/directory -p rwxa -k watch_directory

• -w: Watch the specified file or directory.
• -p: Set permissions to watch (read, write, execute, attribute change).
• -k: Attach a key to the rule (a string identifier).

Save the file and restart the auditd service:

   sudo systemctl restart auditd

Verify the Configuration

Use the auditctl command to verify that the rules are loaded:

sudo auditctl -l

This command lists the currently loaded audit rules.

Monitor File System Events

You can use the ausearch command to display events matching specific criteria:

sudo ausearch -k watch_directory

• -k: Specify the key attached to the rule. This command shows audit events related to the specified key.

Interpret Audit Log Entries

To interpret the audit log entries, refer to the /var/log/audit/audit.log file. Use tools like ausearch or aureport to filter and analyze the data:

sudo ausearch -k watch_directory

This command displays human-readable audit entries for the specified key.

sysdig

sysdig is a versatile system monitoring and troubleshooting tool that can capture and display file system activity.

sudo sysdig -A -c echo_fds fd.type=file

This command displays file system activity with details like read and write operations.

fatrace

fatrace is a utility that reports file access events from all running processes.

sudo apt-get install fatrace   # On Debian/Ubuntu
sudo yum install fatrace       # On Red Hat/CentOS

sudo fatrace -t

This command shows file access events in real-time, including the process generating the event.

iotop

iotop is a tool for monitoring I/O usage on a system, including file system activity.

sudo apt-get install iotop   # On Debian/Ubuntu
sudo yum install iotop       # On Red Hat/CentOS

sudo iotop

Run iotop to display processes and their I/O usage, including file reads and writes.

Choose the tool or method that best fits your needs based on the level of detail required and the specific file system activity you want to monitor. Note that some tools may require installation through your system’s package manager.