Tiny Core Linux
General TC => Programming & Scripting - Unofficial => Topic started by: Rich on March 04, 2026, 12:27:43 AM
-
Recently a forum member ask about tracking down which program was overwriting some files:
https://forum.tinycorelinux.net/index.php/topic,28044.0.html
Searching the TC14 x86_64 repo turn up a couple of possible tools.
audit.tcz A tool for auditing system calls.
Unfortunately, the kernel config is not set up to support it.
trace-cmd.tcz A tool to interact with ftrace linux kernel internal tracer.
Unfortunately, the kernel config for ftrace is not enabled.
A little searching on the Internet turned up fatrace. The program is a
little quirky, but seems usable. Here's a quick tutorial of how I made it work.
Fetch and build the program:
# Install toolchain and a couple of support packages.
tce-load -wi compiletc git sstrip
# Create a build directory.
mkdir FAtrace
cd FAtrace
# Fetch the source package.
git clone https://github.com/martinpitt/fatrace.git
# Build and strip fatrace.
cd fatrace
make
sstrip fatrace
Dealing with one of the quirks:
# From the man page:
# "It does not report file access by fatrace itself, to avoid logging events
# caused by writing the output into a file. It also ignores events on virtual
# and kernel file systems such as sysfs, proc, and devtmpfs."
#
# It also seems to ignore the RAM based rootfs, including /etc. It seems to
# want "real mount points", so we create one:
mkdir etc
sudo mount --bind /etc etc
Options and a sample command:
cd etc
# Useful options:
# -c means "Only record events on partition/mount of current directory".
# That's why we cd into etc.
# -f W Means "We only want to capture file writes".
# -p means "Ignore events for this process ID. Can be specified multiple times."
# That's useful for filtering out noisy processes.
# -o ../file.txt means "Write events to given file instead of standard output."
# No point in writing a file to etc.
tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ sudo .././fatrace -c -f W -o ../file.txt
A sample run.
Delete the previous output file (quirk). fatrace will not start if the output file exists:
tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ rm -f ../file.txt
tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ sudo .././fatrace -c -f W -p 397 -o ../file.txt
In another terminal, turn eth0 off and on, causing writes to /etc/resolv.conf:
tc@box:~$ sudo ifconfig eth0 down
tc@box:~$ sudo /opt/eth0.sh
Then Ctrl-C and check the results:
tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ cat ../file.txt
eth0.sh(8208): W /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
eth0.sh(8208): CWO /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
tc@box:~/BuildTCZs/FAtrace/fatrace/etc$
Filtering for resolv.conf and hosts files:
tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ sudo .././fatrace -c -f W 2>&1 grep -E "resolv|hosts"
eth0.sh(13001): W /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
eth0.sh(13001): W /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
eth0.sh(13001): CW /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
eth0.sh(13001): W /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.conf
eth0.sh(13001): CW /home/tc/BuildTCZs/FAtrace/fatrace/etc/resolv.confEven though eth0.sh performs 2 echo commands into /etc/resolv.conf, we get 5 results (quirk?).
For some reason, this way creates an empty file:
tc@box:~/BuildTCZs/FAtrace/fatrace/etc$ sudo .././fatrace -c -f W 2>&1 grep -E "resolv|hosts" > ../file.txtAnother quirk, or is something wrong with my redirection?
-
kicking the weeds at github and this was interesting:
https://github.com/martinpitt/fatrace/pull/66
also wondering which version was fetched? given:
https://tracker.debian.org/pkg/fatrace
(in devuan daedalus)someone@somewhere:~$ apt info fatrace
Package: fatrace
Version: 0.17.0-1
Priority: optional
Section: utils
Maintainer: Martin Pitt <mpitt@debian.org>
Installed-Size: 44.0 kB
Depends: libc6 (>= 2.34)
Recommends: python3, powertop
Homepage: https://github.com/martinpitt/fatrace
Download-Size: 12.5 kB
APT-Sources: http://deb.devuan.org/merged daedalus/main amd64 Packages
Description: report system wide file access events
fatrace reports file access events from all running processes.
Its main purpose is to find processes which keep waking up the disk
unnecessarily and thus prevent some power saving.
.
This package also contains a "power-usage-report" tool, which uses
fatrace and powertop to build a textual report from one minute of
measuring power usage and file accesses. This does not take any
arguments or requires any interactivity, so is very simple to use and
serves as a starting point for bug reports or optimizing a particular
installation.
just _thinking_out_loud_ mostly...
-
Hi gadget42
... also wondering which version was fetched? given: ...
tc@box:~/BuildTCZs/FAtrace/fatrace$ git describe --tags --long | cut -d '-' -f 1,2 | tr - .
0.19.1.5
tc@box:~/BuildTCZs/FAtrace/fatrace$