Reputation: 241
Find all changes in filesystem done by a process in Linux/Mac?
Let's say I am going to run a Mac program that will be doing some patching in my home directory. The program requires ROOT privileges to run and I don't know for sure what it does indeed because I don't have source code.
How can I see a list of all changes in file system by a program?
I know I can list currently opened files by lsof -p pid . But how do I see retrospectively all changes that the program made in my entire file system?
Another thing that comes to mind is using find but I didn't figure that one out.
Side question. Does the pid change when the app gains ROOT privileges?
Upvotes: 1
Views: 338
Answers (1)
Reputation: 2218
You can use strace to record all actions done by application.
In fact it can trace all children which could be spawned by original command.
strace -o traces -ff ./your-app-to-trace
this will generate multiple trace files (one file per process). Then you can grep them to see what files were touched and what was written to them.
Upvotes: 2
Related Questions
- Linux - How to track all files accessed by a process?
- See what process is accessing a file in Mac OS X
- how to investigate what a process is doing?
- How to get files modified by certain process in Linux
- On linux, how to monitor the change of a file/directory, by system call or shell command?
- Is it possible to identify what process is changing a file with FileSystemWatcher?
- How to track an application to determine what files are modified/created/deleted during the application execution on Linux?
- monitor which process modified a file under FreeBSD/Linux
- Mac OS X: getting names of changed/written files
- Determine files modified by process