I am trying to use inotifywait to detect when a process checks for the existence of a file, but the event is not captured.
For example, this program checks if /tmp/test exists:
#include <stdio.h>
#include <unistd.h>
int main() {
if (access("/tmp/test", F_OK) == 0) {
printf("yes");
} else {
printf("no");
}
}
Compile with:
gcc -o testfileexists testfileexists.c
Now run inotifywait to monitor /tmp:
inotifywait -r -m -c /tmp
Then run testfileexists to check if /tmp/test exists:
./testfileexists
No output is displayed from inotifywait.
Is there a way to capture file existence checks that occur (via access() or stat(), or bash [ -f for example)?
Calling access(/tmp/test) does not create, delete, or modify a file, so there are no events for inotifywait to capture.
Similarly, you can't use inotify to capture someone's attempt to open a file that doesn't exist: trying to cat /tmp/test, if /tmp/test doesn't exist, doesn't generate any filesystem events, either.
Depending on what you're trying to do, there are ways to capture this access. For example, if you run the target code under control of strace, you can log the check:
$ strace -e trace=access ./checkfile
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
access("/tmp/test", F_OK) = -1 ENOENT (No such file or directory)
no+++ exited with 0 +++
You can perform similar monitoring using tools like perf trace.