Find which process is modifying a file
You can use auditd and add a rule for that file to be watched:
auditctl -w /path/to/that/file -p wa
Then watch for entries to be written to /var/log/audit/audit.log
.
SystemTap can do this, using the inodewatch script .
in case the program(s) you are looking for still have the file opened, you can use the following:
sudo lsof /path/to/file/being/modified
you could also call this in a small loop, suing the following script getfileusers.sh
:
#!/bin/sh
FILE=$1
while true; do
lsof "${FILE}"
done > /tmp/fileusers.log
and then call it:
sudo ./getfileusers.sh /path/to/file/being/modified
and eventually inspect /tmp/fileusers.log
to see who touched the file...