whatfiles: Log what files are accessed by any Linux process

whatfiles

Whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.

Rationale:

I’ve long been frustrated at the lack of a simple utility to see which files a process touches from main() to exit. Whether you don’t trust a software vendor or are concerned about malware, it’s important to be able to know what a program or installer does to your system. lsof only observes a moment in time and strace is large and somewhat complicated.

Questions that could be asked at some point:

• Isn’t this just a reimplementation of strace -fe trace=creat,open,openat,unlink,unlinkat ./program?

  Yes. Though it aims to be simpler and more user-friendly.

• Are there Mac and Windows versions?

  No. Tracing syscalls on Mac requires task_for_pid(), which requires code signing, which I can’t get to work, and anyway I have no interest in paying Apple $100/year to write free software. dtruss on Mac can be used to follow a single process and its children, though the -t flag seems to only accept a single syscall to filter on. fs_usage does something similar though I’m not sure if it follows child processes/threads. Process Monitor for Windows is pretty great.

Known issues:

• Tabs crash when whatfiles is used to launch Firefox. (Attaching with -p [PID] once it’s running works fine, as does using whatfiles to launch a second Firefox window if one’s already open.)

Use:

• basic use launches ls, and writes output to a log file in the current directory:

  $ whatfiles ls -lah ~/Documents

• specify output file location with -o:

  $ whatfiles -o MyLogFile cd ..

• include debug output, print to stdout rather than log file:

  $ whatfiles -d -s apt install zoom

• attach to currently running process (requires root privileges):

  $ sudo whatfiles -p 1234

Download

Copyright (C) 2021 spieglt