fatrace

Print file access events in all mounted filesystems to stdout

$ sudo fatrace

$ sudo fatrace [[-c|--current-mount]] [[-t|--timestamp]]

fatrace [-p PID] [-t mountpoint] [-s SECONDS] [-o OUTPUT_FILE]

-p PID
    Filters file access events to only show those performed by the process with the specified PID.

-t mountpoint
    Restricts monitoring to file access events occurring within the specified mountpoint (e.g., /home, /var).

-s SECONDS
    Specifies a timeout in SECONDS after which fatrace will automatically terminate.

-o OUTPUT_FILE
    Redirects the output of fatrace from standard output to the specified OUTPUT_FILE.

fatrace is a command-line utility for Linux systems designed to monitor and report file access events across the entire system or specific mount points. It leverages the fanotify kernel subsystem, which is more scalable and efficient than inotify for system-wide file activity monitoring. fatrace can track various file operations, including opening, reading, writing, and closing files. Its primary use cases include debugging unexpected disk activity, identifying processes performing I/O on specific files or directories, and auditing file access patterns. It provides output detailing the process name, process ID (PID), the type of file event (e.g., O for open, R for read, W for write, C for close), and the full path to the file involved. Due to its use of fanotify, fatrace requires root privileges to run.

• Requires root privileges to run due to its reliance on the fanotify kernel API.
• Can generate a large volume of output on busy systems, making it difficult to analyze without filtering.
• The fanotify API itself has limitations; for example, it reports events on inodes, not necessarily on specific file descriptors, and events might not perfectly correspond to traditional open()/read()/write() calls in all scenarios.
• The fanotify API is available in Linux kernel 2.6.37 and later.

The output of fatrace typically follows the format: PROCESS_NAME(PID): EVENT_TYPE FILE_PATH.
EVENT_TYPE can be:
• O (Open)
• R (Read)
• W (Write)
• C (Close)
• Other less common types may also appear depending on kernel version and event flags.

Running fatrace requires root privileges. Attempting to run it as a regular user will result in a permission denied error. This is because the underlying fanotify kernel interface requires elevated permissions to monitor system-wide file events.

fatrace was developed as a simpler and more efficient alternative to approaches like strace for system-wide file access monitoring. It specifically leverages the fanotify API, introduced in Linux kernel 2.6.37 (early 2011), which was designed for highly scalable file activity notification, especially for security applications like anti-virus scanning or hierarchical storage management. Prior to fanotify, inotify was available but was less suited for monitoring entire filesystems due to its per-directory watch limits and potential for performance overhead. fatrace simplifies access to this powerful kernel feature for system administrators and developers.

strace(1), lsof(8), iotop(8), perf(1), auditctl(8)