Rainer Dorsch wrote:
Is there a way to trace all accesses to a directory tree (e.g. /mnt/disk) ? Is there another way to find out which data are accessed and if possible by which process?
for files that are kept open by particular processes, you might play with fuser and lsof (see man pages)
you could try setting /proc/sys/vm/block_dump to 1 - which will log every disk access to syslog (see http://sprocket.io/blog/2006/05/monitoring-filesystem-activity-under-linux-with-block_dump/) - though I expect auditd (as someone else suggested) would be less painful
I also seem to recall that there's something in the /proc filesystem that provides a running list of file operations
take a look at iwatch - that might be exactly what you want (haven't played with it myself) - see
http://prefetch.net/blog/index.php/2009/02/28/monitoring-file-activity-on-linux-hosts/ -- In theory, there is no difference between theory and practice. In<fnord> practice, there is. .... Yogi Berra