Finding which process is overwriting a file

[Rich]

Recently a forum member ask about tracking down which program was overwriting some files:
https://forum.tinycorelinux.net/index.php/topic,28044.0.html

Searching the TC14 x86_64 repo turn up a couple of possible tools.
audit.tcz A tool for auditing system calls.
Unfortunately, the kernel config is not set up to support it.

trace-cmd.tcz A tool to interact with ftrace linux kernel internal tracer.
Unfortunately, the kernel config for ftrace is not enabled.

A little searching on the Internet turned up fatrace. The program is a
little quirky, but seems usable. Here's a quick tutorial of how I made it work.

Fetch and build the program:

Code: [Select]

# Install toolchain and a couple of support packages.
tce-load -wi compiletc git sstrip

# Create a build directory.
mkdir FAtrace
cd FAtrace

# Fetch the source package.
git clone https://github.com/martinpitt/fatrace.git

# Build and strip fatrace.
cd fatrace
make
sstrip fatrace
Dealing with one of the quirks:

Code: [Select]

# From the man page:
# "It does not report file access by fatrace itself, to avoid logging events
# caused by writing the output into a file. It also ignores events on virtual
# and kernel file systems such as sysfs, proc, and devtmpfs."
#
# It also seems to ignore the RAM based rootfs, including /etc. It seems to
# want "real mount points", so we create one:
mkdir etc
sudo mount --bind /etc etc
Options and a sample command:

Code: [Select]

cd etc
# Useful options:
# -c means "Only record events on partition/mount of current directory".
# That's why we cd into etc.
# -f W Means "We only want to capture file writes".
# -p means "Ignore events for this process ID. Can be specified multiple times."
# That's useful for filtering out noisy processes.
# -o ../file.txt means "Write events to given file instead of standard output."
# No point in writing a file to etc.
tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ sudo .././fatrace -c -f W -o ../file.txt
A sample run.
Delete the previous output file (quirk). fatrace will not start if the output file exists:

Code: [Select]

tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ rm -f ../file.txt
tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ sudo .././fatrace -c -f W -p 397 -o ../file.txt
In another terminal, turn eth0 off and on, causing writes to /etc/resolv.conf:

Code: [Select]

tc@box:~$ sudo ifconfig eth0 down
tc@box:~$ sudo /opt/eth0.sh
Then Ctrl-C and check the results:

Code: [Select]

tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ cat ../file.txt
eth0.sh(8208): W   /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
eth0.sh(8208): CWO /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
tc@box:~/BuildTCZs/FAtrace/fatrace/etc$
Filtering for resolv.conf and hosts files:

Code: [Select]

tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ sudo .././fatrace -c -f W 2>&1 grep -E "resolv|hosts"
eth0.sh(13001): W   /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
eth0.sh(13001): W   /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
eth0.sh(13001): CW  /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
eth0.sh(13001): W   /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
eth0.sh(13001): CW  /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.confEven though eth0.sh performs 2 echo commands into /etc/resolv.conf, we get 5 results (quirk?).

For some reason, this way creates an empty file:

Code: [Select]

tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ sudo .././fatrace -c -f W 2>&1 grep -E "resolv|hosts" > ../file.txtAnother quirk, or is something wrong with my redirection?