Find which process is modifying a file

You can use auditd and add a rule for that file to be watched:

auditctl -w /path/to/that/file -p wa

Then watch for entries to be written to /var/log/audit/audit.log.


SystemTap can do this, using the inodewatch script .


in case the program(s) you are looking for still have the file opened, you can use the following:

 sudo lsof /path/to/file/being/modified

you could also call this in a small loop, suing the following script getfileusers.sh:

 #!/bin/sh

 FILE=$1

 while true; do
    lsof "${FILE}"
 done > /tmp/fileusers.log

and then call it:

 sudo ./getfileusers.sh /path/to/file/being/modified

and eventually inspect /tmp/fileusers.log to see who touched the file...