On Wed, Aug 09, 2006 at 01:17:11PM +1200, Phill Coxon wrote: > ** Is there any way to monitor a file and log which processes or scripts > access and / or modify it?
Under Solaris 10 or some BSDs you could run dtrace ... but under Linux I'm not aware of anything that would operate like that. You could examine any running process using point-in-time tools like lsof and strace, but that won't help you very much. If the process that deletes the file is on the machine, you might be able to find it by grepping for the filename in *all* your executables and scripts and config files ... but that isn't guaranteed to be successful. If even minor efforts have been made to obscure the deletion, that won't be enough to locate them. How about making the directory containing that file it's own (small) filesystem? Perhaps using loopback ... and then mount it read-only. You don't need to be root for that (unless you don't have loopback support) -jim
