0

System is Centos8

I need to determine what process is touching a file without making any changes in content. I've tried auditctl but it does not seem to have a filesystem watch that can track these attributes.

sudo auditctl -w /boot/grub2/grubenv -p a -k GRUBENV

but this does not capture timestamp changes.

Is there a way to log changes to file modify/change timestamps that do not alter anything else about the file?

Ex Umbris
  • 804
  • 7
  • 24
  • 1
    https://serverfault.com/questions/320716/find-out-which-process-is-changing-a-file has a nice example as per Romeo's answer. – gm3dmo Jan 02 '20 at 19:26

1 Answers1

1

Timestamp change is more like write operation. So the command should look like:

sudo auditctl -w /boot/grub2/grubenv -p wa -k GRUBENV
Romeo Ninov
  • 3,195
  • 2
  • 13
  • 16
  • Interesting, I'll try this and report back after the next spurious timestamp change. – Ex Umbris Jan 03 '20 at 00:30
  • 1
    The process touching grubenv is `systemd`, which is executing `/usr/sbin/grub2-set-bootflag`. Why this is happening will merit a new question unless I can find something explaining why `systemd` is doing this regularly. – Ex Umbris Jan 03 '20 at 01:06