Score:0

How to monitor when a file/folder is moved, and where it moved to?

bd flag

I'm looking for a way to monitor when a file/folder is moved, as well as where it was moved to.

So far in my research I've come across tools such as auditd, watch and inotify. While these tools are great at monitoring when a file moves, they don't keep track of where the file moved to.

I have also looked at the syslogs generated when a file is moved but they are painful to read/parse.

Are there any tools out there than can perform this function? Or should I start writing my own script?

Score:1
bd flag

I was able to get the functionality to work with auditd.

The following command monitors

auditctl -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F dir=/path/to/folder/to/monitor -F key=DONT_MOVE

The key can be any string of your choice, and will be used to filter audit logs for this specific entry.

For persistence, you can append the above string without auditctl to /etc/audit/audit.rules.

To check if/where the folder moved, run ausearch -k DONT_MOVE. The logs are not very human friendly, but they do list the timestamp and to/from paths.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.