Linux equivalent to Mac OS X's fs_usage

Question

Is there a Linux equivalent to the Mac OS X command fs_usage? According to the man page it does the following: "report system calls and page faults related to filesystem activity in real-time".

I suppose one option would be to use strace and filter the data, however the fs_usage command allows all the processes running on the system to be "traced" at the same time.

Here's an example output:

03:44:25  stat64            erences/ByHost/org.mozilla.firefox.69AC0B48-F675-5045-B873-A28B119C33E7.plist     0.000029   firefox     
03:44:25  stat64            /Users/**********/Library/Preferences                                             0.000011   firefox     
03:44:25  statfs64          /Users/**********/Library/Preferences                                             0.000004   firefox     
03:44:25  open              /Users/**********/Library/Preferences/org.mozilla.firefox.plist.lockfile          0.000090   firefox     
03:44:25  stat64            /Users/**********/Library/Preferences/org.mozilla.firefox.plist                   0.000004   firefox     
03:44:25  stat64            /Users/**********/Library/Preferences                                             0.000002   firefox     
03:44:25  open              /Users/**********/Library/Preferences/org.mozilla.firefox.plist.vjLkANe           0.000100   firefox   

Any ideas?

Answer 1

You can use auditctl to monitor system calls related to filesystem activity like open, stat or lstat. Unfortunately, monitoring read or write seems to be problematic.

auditctl is an utility to assist controlling the kernel's audit system. You'll need to be root in order to use it. It supports various filters like:

devmajor    Device Major Number

devminor    Device Minor Number

dir         Full Path of Directory to watch. This will place a recursive
            watch on the directory and its whole subtree. It can only be
            used on exit list. See "-w".

egid        Effective Group ID. May be numeric or the groups name.

euid        Effective User ID. May be numeric or the user account name.

filetype    The target file's type. Can be either file, dir, socket, symlink,
            char, block, or fifo.

path        Full Path of File to watch. It can only be used  on exit list.

pid         Process ID

ppid        Parent's Process ID

Example (tested on Fedora 16 x86_64)

To add the audit rules, run as root:

for syscall in open stat lstat read write; do
    auditctl -a exit,always -F arch=b64 -S $syscall \
             -F euid=1000 \
             -F dir=/tmp/superuser.com/questions/370070
done

To delete them later replace -a with -d:

for syscall in open stat lstat read write; do
    auditctl -d exit,always -F arch=b64 -S $syscall \
             -F euid=1000 \
             -F dir=/tmp/superuser.com/questions/370070
done

After adding the rules do something under that directory as the user with UID 1000:

cd  /tmp/superuser.com/questions/370070
echo foo > bar
cat bar
stat bar

ausearch --start 00:00:00 --uid-effective 1000 will return the following (the log is /var/log/audit/audit.log):

time->Thu Jun 14 00:02:32 2012
type=PATH msg=audit(1339621352.871:18529): item=0 name="/tmp/superuser.com/questions/370070" inode=178 dev=fd:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1339621352.871:18529):  cwd="/home/ciupicri"
type=SYSCALL msg=audit(1339621352.871:18529): arch=c000003e syscall=4 success=yes exit=0 a0=139bbf0 a1=7fff32d832d0 a2=7fff32d832d0 a3=24 items=1 ppid=2249 pid=3446 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="bash" exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
[root@hermes ~]# ausearch --start 00:00:00 --uid-effective 1000
----
time->Thu Jun 14 00:02:32 2012
type=PATH msg=audit(1339621352.871:18529): item=0 name="/tmp/superuser.com/questions/370070" inode=178 dev=fd:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1339621352.871:18529):  cwd="/home/ciupicri"
type=SYSCALL msg=audit(1339621352.871:18529): arch=c000003e syscall=4 success=yes exit=0 a0=139bbf0 a1=7fff32d832d0 a2=7fff32d832d0 a3=24 items=1 ppid=2249 pid=3446 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="bash" exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
time->Thu Jun 14 00:02:47 2012
type=PATH msg=audit(1339621367.175:18531): item=0 name="bar" inode=218 dev=fd:03 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1339621367.175:18531):  cwd="/tmp/superuser.com/questions/370070"
type=SYSCALL msg=audit(1339621367.175:18531): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5ed6b37f a1=0 a2=0 a3=7fff5ed69460 items=1 ppid=3446 pid=4735 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
time->Thu Jun 14 00:02:47 2012
type=PATH msg=audit(1339621367.172:18530): item=1 name="bar" inode=218 dev=fd:03 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=PATH msg=audit(1339621367.172:18530): item=0 name="/tmp/superuser.com/questions/370070" inode=178 dev=fd:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1339621367.172:18530):  cwd="/tmp/superuser.com/questions/370070"
type=SYSCALL msg=audit(1339621367.172:18530): arch=c000003e syscall=2 success=yes exit=3 a0=1665500 a1=241 a2=1b6 a3=4 items=2 ppid=2249 pid=3446 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="bash" exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
time->Thu Jun 14 00:02:47 2012
type=PATH msg=audit(1339621367.971:18532): item=0 name="bar" inode=218 dev=fd:03 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(1339621367.971:18532):  cwd="/tmp/superuser.com/questions/370070"
type=SYSCALL msg=audit(1339621367.971:18532): arch=c000003e syscall=6 success=yes exit=0 a0=7fffdc713375 a1=7fffdc711580 a2=7fffdc711580 a3=7fffdc7112f0 items=1 ppid=3446 pid=4736 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=1 comm="stat" exe="/usr/bin/stat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

The syscall numbers can be found in /usr/include/asm/unistd_64.h.

Answer 2

iowatch might be a possibility.

---

to watch activity in /etc you would run

$ iwatch /etc

Features

• command line and daemon mode
• xml configuration file
• ability to watch a directory recursively and watch new created directories
• can specify a list of exceptions
• can use regex to compare the file/directory name
• can execute a command if an event occurs
• send email
• syslog
• print time stamps

Events available

    access  : file was modified
    modify  : file was modified
    attrib  : file attributes changed
    close_write : file closed, after being opened in writeable mode
    close_nowrite   : file closed, after being opened in read-only mode
    close   : file closed, regardless of read/write mode
    open    : file was opened
    moved_from  : File was moved away from.
    moved_to    : File was moved to.
    move    : a file/dir within watched directory was moved
    create  : a file was created within watched director
    delete  : a file was deleted within watched directory
    delete_self : the watched file was deleted
    unmount : file system on which watched file exists was unmounted
    q_overflow  : Event queued overflowed
    ignored : File was ignored
    isdir   : event occurred against dir
    oneshot : only send event once

Answer 3

Yes, Yes, I know... old thread...

But still... The Apple source code for fs_usage is available online, it's quite possible to compile it yourself. Of course, there ARE some caveats...

It's based on the Apple OS X's netbsd system calls, so some (ha!) editing would be needed...

Even comes with a complimentary Makefile (netbsd flavored, alas).

But if you call within the next 10 minutes, they'll even throw in a usable man page... all for free!

I've been watching too much late night infomercials.

Apple's fs_usage source code

(No refunds, batteries not included, do not return to store, some assembly required)

(and after looking through the code, and seeing your example, I do believe something could be created to do a 'subset' of fs_usage's features pretty quickly... let me tinker...)

I've got a working program, beginning to look similar to what you're looking for, have to do some more work on it to get closer, but you're all welcome to try it.

Bitbucket Hg Repository - fs_usage

Answer 4

The two closest options I can see (built-in) would be iostat and inotify. iostat will just show input/output stats for a device or partition on the system. inotify is a system file watcher, that you can hook into with a script to alert you of file changes. You would have to write your own event code to tell it to listen for file reads/writes, and then what to do with that signal.

From the link/man page :

Inotify can be used to monitor individual files, or to monitor directories. When a directory is monitored, inotify will return events for the directory itself, and for files inside the directory.

Personally, I'd write a Python or bash script to run the inotify when I needed to monitor for changes, and disable it when uneeded.

Answer 5

fatrace (File Activity Trace)

fatrace reports file access events (Open, Read, Write, Close) from all running processes. Its main purpose is to find processes which keep waking up the disk unnecessarily and thus prevent some power saving.

When running it outputs in real time one line per file event in this format:

<timestamp> <process-name(pid)>: <file-event> </path/to/file>

For example:

23:10:21.375341 Plex Media Serv(2290): W /srv/dev-disk-by-uuid-UID/Plex/Library/Application Support/Plex Media Server/Logs/Plex Media Server.log

From which you easily get all the necessary infos

• WHEN: Timestamp, if using the --timestamp option

• WHO: Process name (who is accessing)

• WHAT: File operation event (O-pen, R-read, W-rite, C-lose)

• WHERE: Filepath (where is it writing to).

• You can limit the search scope with --current-mount to only record events on the partition/mount of your current directory.

  • So simply cd into the volume which corresponds to your spinning HDD first, and there run ftrace with the --current-mount option.

• Without this option, all (real) partitions/mount points are being watched.

Super practical

• Being a macOS Unix/Terminal user for 20 years now, and now working with Linux too, it's the closest to macOS fs_usage I found.
• With this tool you very quickly find out which process so far unknown to you is causing what file activity so far unknown to you in no time.
• All the other tools were not useful for my purposes because they either let you monitor a particular process or a particular directory/file. But not let you "investigate the unknown" in a quick and real time manner.

Answer 6

Install sysstat and use the command

sar -B 1