Tracking all file changes in a unix host
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I'm evaluating a tool and I need to identify all files (including system config files) added, changed or removed by this application (it is installed using pip).
After installing on a external host, I'll track all the changes to bring the application to a different with the help of those tracked changes.
Note that I'm not looking for application or install logs, I'm looking for the changes made by this install and its application.
This can also be an useful scenario to audit the impact of any application being evaluated.
One possible solution is using fswatch (https://www.ostechnix.com/monitor-file-changes-using-fswatch-linux/), but it is not able to monitor the root directory.
A good decade ago, there was a tool for Windows called Norton CleanSweep (https://en.wikipedia.org/wiki/Norton_CleanSweep), that monitored a install app and tracked all files and registry entries added by this install to allow full deletion of this tracked install. That's exactly what I'm looking for, but for a unix box (Debian distros based would be the perfect one)
Any ideas on what can be used to track all changes in a unix host?
linux filesystems system-installation utilities audit
add a comment |
I'm evaluating a tool and I need to identify all files (including system config files) added, changed or removed by this application (it is installed using pip).
After installing on a external host, I'll track all the changes to bring the application to a different with the help of those tracked changes.
Note that I'm not looking for application or install logs, I'm looking for the changes made by this install and its application.
This can also be an useful scenario to audit the impact of any application being evaluated.
One possible solution is using fswatch (https://www.ostechnix.com/monitor-file-changes-using-fswatch-linux/), but it is not able to monitor the root directory.
A good decade ago, there was a tool for Windows called Norton CleanSweep (https://en.wikipedia.org/wiki/Norton_CleanSweep), that monitored a install app and tracked all files and registry entries added by this install to allow full deletion of this tracked install. That's exactly what I'm looking for, but for a unix box (Debian distros based would be the perfect one)
Any ideas on what can be used to track all changes in a unix host?
linux filesystems system-installation utilities audit
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35
add a comment |
I'm evaluating a tool and I need to identify all files (including system config files) added, changed or removed by this application (it is installed using pip).
After installing on a external host, I'll track all the changes to bring the application to a different with the help of those tracked changes.
Note that I'm not looking for application or install logs, I'm looking for the changes made by this install and its application.
This can also be an useful scenario to audit the impact of any application being evaluated.
One possible solution is using fswatch (https://www.ostechnix.com/monitor-file-changes-using-fswatch-linux/), but it is not able to monitor the root directory.
A good decade ago, there was a tool for Windows called Norton CleanSweep (https://en.wikipedia.org/wiki/Norton_CleanSweep), that monitored a install app and tracked all files and registry entries added by this install to allow full deletion of this tracked install. That's exactly what I'm looking for, but for a unix box (Debian distros based would be the perfect one)
Any ideas on what can be used to track all changes in a unix host?
linux filesystems system-installation utilities audit
I'm evaluating a tool and I need to identify all files (including system config files) added, changed or removed by this application (it is installed using pip).
After installing on a external host, I'll track all the changes to bring the application to a different with the help of those tracked changes.
Note that I'm not looking for application or install logs, I'm looking for the changes made by this install and its application.
This can also be an useful scenario to audit the impact of any application being evaluated.
One possible solution is using fswatch (https://www.ostechnix.com/monitor-file-changes-using-fswatch-linux/), but it is not able to monitor the root directory.
A good decade ago, there was a tool for Windows called Norton CleanSweep (https://en.wikipedia.org/wiki/Norton_CleanSweep), that monitored a install app and tracked all files and registry entries added by this install to allow full deletion of this tracked install. That's exactly what I'm looking for, but for a unix box (Debian distros based would be the perfect one)
Any ideas on what can be used to track all changes in a unix host?
linux filesystems system-installation utilities audit
linux filesystems system-installation utilities audit
edited Apr 1 at 19:34
Rafael Borja
asked Mar 15 at 13:30
Rafael BorjaRafael Borja
1317
1317
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35
add a comment |
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35
add a comment |
1 Answer
1
active
oldest
votes
Since fswatch could not handle the amount of operations properly when root directory is provided, inotifywait (https://linux.die.net/man/1/inotifywait) can be used.
It wait for changes to files using inotify. The following command can be used:
sudo inotifywait -m -r --exclude "(/tmp.*|/var/cache.*|/dev/pts/|/var/log.*)" -e MOVED_TO -e CREATE -e CLOSE_WRITE -e DELETE -e MODIFY -o /tmp/my_tracked_install_files /
Where
- -m: Uses monitoring mode
- -r: recursive path
- --exclude uses a regex to not watch events on some directories (temp, log directories, and /dev/pts due to the amount of unnecessary changes on those directories)
- -e MOVED_TO, CREATE, CLOSE_WRITE, DELETE, and MODIFY: The only events we are interested on (inotifywait captures all kind of filesystem events, including listing)
- -o: output file
Please not that inotifywait does not capture nfs files written from other hosts.
It is very likely that you must increase the number of inotifywatches (as described in (https://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux)
cat /proc/sys/fs/inotify/max_user_watches # default is 8192
sudo sysctl fs.inotify.max_user_watches=1048576 # increase to 1048576
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506516%2ftracking-all-file-changes-in-a-unix-host%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Since fswatch could not handle the amount of operations properly when root directory is provided, inotifywait (https://linux.die.net/man/1/inotifywait) can be used.
It wait for changes to files using inotify. The following command can be used:
sudo inotifywait -m -r --exclude "(/tmp.*|/var/cache.*|/dev/pts/|/var/log.*)" -e MOVED_TO -e CREATE -e CLOSE_WRITE -e DELETE -e MODIFY -o /tmp/my_tracked_install_files /
Where
- -m: Uses monitoring mode
- -r: recursive path
- --exclude uses a regex to not watch events on some directories (temp, log directories, and /dev/pts due to the amount of unnecessary changes on those directories)
- -e MOVED_TO, CREATE, CLOSE_WRITE, DELETE, and MODIFY: The only events we are interested on (inotifywait captures all kind of filesystem events, including listing)
- -o: output file
Please not that inotifywait does not capture nfs files written from other hosts.
It is very likely that you must increase the number of inotifywatches (as described in (https://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux)
cat /proc/sys/fs/inotify/max_user_watches # default is 8192
sudo sysctl fs.inotify.max_user_watches=1048576 # increase to 1048576
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
add a comment |
Since fswatch could not handle the amount of operations properly when root directory is provided, inotifywait (https://linux.die.net/man/1/inotifywait) can be used.
It wait for changes to files using inotify. The following command can be used:
sudo inotifywait -m -r --exclude "(/tmp.*|/var/cache.*|/dev/pts/|/var/log.*)" -e MOVED_TO -e CREATE -e CLOSE_WRITE -e DELETE -e MODIFY -o /tmp/my_tracked_install_files /
Where
- -m: Uses monitoring mode
- -r: recursive path
- --exclude uses a regex to not watch events on some directories (temp, log directories, and /dev/pts due to the amount of unnecessary changes on those directories)
- -e MOVED_TO, CREATE, CLOSE_WRITE, DELETE, and MODIFY: The only events we are interested on (inotifywait captures all kind of filesystem events, including listing)
- -o: output file
Please not that inotifywait does not capture nfs files written from other hosts.
It is very likely that you must increase the number of inotifywatches (as described in (https://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux)
cat /proc/sys/fs/inotify/max_user_watches # default is 8192
sudo sysctl fs.inotify.max_user_watches=1048576 # increase to 1048576
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
add a comment |
Since fswatch could not handle the amount of operations properly when root directory is provided, inotifywait (https://linux.die.net/man/1/inotifywait) can be used.
It wait for changes to files using inotify. The following command can be used:
sudo inotifywait -m -r --exclude "(/tmp.*|/var/cache.*|/dev/pts/|/var/log.*)" -e MOVED_TO -e CREATE -e CLOSE_WRITE -e DELETE -e MODIFY -o /tmp/my_tracked_install_files /
Where
- -m: Uses monitoring mode
- -r: recursive path
- --exclude uses a regex to not watch events on some directories (temp, log directories, and /dev/pts due to the amount of unnecessary changes on those directories)
- -e MOVED_TO, CREATE, CLOSE_WRITE, DELETE, and MODIFY: The only events we are interested on (inotifywait captures all kind of filesystem events, including listing)
- -o: output file
Please not that inotifywait does not capture nfs files written from other hosts.
It is very likely that you must increase the number of inotifywatches (as described in (https://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux)
cat /proc/sys/fs/inotify/max_user_watches # default is 8192
sudo sysctl fs.inotify.max_user_watches=1048576 # increase to 1048576
Since fswatch could not handle the amount of operations properly when root directory is provided, inotifywait (https://linux.die.net/man/1/inotifywait) can be used.
It wait for changes to files using inotify. The following command can be used:
sudo inotifywait -m -r --exclude "(/tmp.*|/var/cache.*|/dev/pts/|/var/log.*)" -e MOVED_TO -e CREATE -e CLOSE_WRITE -e DELETE -e MODIFY -o /tmp/my_tracked_install_files /
Where
- -m: Uses monitoring mode
- -r: recursive path
- --exclude uses a regex to not watch events on some directories (temp, log directories, and /dev/pts due to the amount of unnecessary changes on those directories)
- -e MOVED_TO, CREATE, CLOSE_WRITE, DELETE, and MODIFY: The only events we are interested on (inotifywait captures all kind of filesystem events, including listing)
- -o: output file
Please not that inotifywait does not capture nfs files written from other hosts.
It is very likely that you must increase the number of inotifywatches (as described in (https://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux)
cat /proc/sys/fs/inotify/max_user_watches # default is 8192
sudo sysctl fs.inotify.max_user_watches=1048576 # increase to 1048576
edited Mar 15 at 18:03
answered Mar 15 at 17:36
Rafael BorjaRafael Borja
1317
1317
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
add a comment |
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
1
1
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
And creation of new files and directories in new directories can also be missed: stackoverflow.com/questions/15806488/inotify-missing-events
– Andrew Henle
Mar 15 at 18:37
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506516%2ftracking-all-file-changes-in-a-unix-host%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Using fswatch, could work, but apparently it's not able to watch the whole filesystem.:
– Rafael Borja
Mar 15 at 15:35
Using fswatch, could work, but apparently it's not able to watch the whole filesystem. sudo fswatch -r --monitor=inotify_monitor --batch-marker --exclude=/tmp/* --exclude=/lib/modules/.*-aws.* --exclude=///lib/terminfo.* --exclude=/dev/pts.* -r -x --event=Created --event=Updated --event=Created MovedTo --event=Removed --event=MovedTo /bin /dev /etc /home /root /sbin /usr /var
– Rafael Borja
Mar 15 at 15:35