Thanks, this looks like it does exactly that, although it requires the audit tools installed which probably aren't everywhere by default. But ok, if one needs that information, they can always be installed.
– homer5439Sep 24 '11 at 10:19
As a note to people seeing this: you can't place watches on the top-level directories (prohibited by the kernel)
– Tony SepiaFeb 1 '19 at 11:34
That's really an efficient way! Thanks a lot!!! BTW, when you're done, you can remove all the hooks to avoid writing the audit log forever by auditctl -D. You may use auditctl -l to list all hooks.
– RobertMar 27 '19 at 9:08
Thaks, this is quite close to what I need, as it produces the whole list of open files first, then filters by /some/dir. However if processes create the files very quickly and don't keep them open, I understand that the above may miss some even. I think in that case the only option is the audit subsystem, right?
– homer5439Sep 24 '11 at 10:18
thanks, I had considered inotify tools before, however I found that they work purely at the filesystem level and don't seem to be able to provide info about who did what.
– homer5439Sep 24 '11 at 11:41
Thanks. Is it correct that the above command only tells me who is accessing existing files but doesn't show anything for newly created files? My understanding is that /some/dir/* expands to the list of files present at the time the command is invoked.
– homer5439Sep 24 '11 at 10:15