Posted: 12 May 2024. At: 5:47 PM. This was 2 months ago. Post ID: 19589
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.

Monitor Linux processes without root permissions.

There is a new application to monitor Linux processes and filesystem events. This is called pspy. This may be used to monitor all running Linux processes.

Download this app from GitHub. There are statically linked binaries that you may install in /usr/local/bin that work right away.

(jcartwright@2403-4800-25af-b00--2) 192.168.1.5 ~  $ pspy64 -h
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
 
 
     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░
 
Usage:
  pspy [flags]
 
Flags:
  -c, --color                        color the printed events (default true)
      --debug                        print detailed error messages
  -d, --dirs stringArray             watch these dirs
  -f, --fsevents                     print file system events to stdout
  -h, --help                         help for pspy
  -i, --interval int                 scan every 'interval' milliseconds for new processes (default 100)
      --ppid                         record process ppids
  -p, --procevents                   print new processes to stdout (default true)
  -r, --recursive_dirs stringArray   watch these dirs recursively (default [/usr,/tmp,/etc,/home,/var,/opt])
  -t, --truncate int                 truncate process cmds longer than this (default 2048)

I ran pspy -f and then I ran dnf up to update my Alma Linux packages, this listed all filesystem changes.

(jcartwright@2403-4800-25af-b00--2) 192.168.1.5 ~  $ pspy64 -f
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=true ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/05/12 17:03:32 FS:               ACCESS | /home/jcartwright/Music/musicfiles/amb_x14_lab1_l.ogg.ogg
2024/05/12 17:03:32 CMD: UID=1000  PID=87348  | pspy64 -f 
2024/05/12 17:03:32 CMD: UID=0     PID=87335  | 
2024/05/12 17:03:32 CMD: UID=0     PID=87244  | /usr/libexec/packagekitd 
2024/05/12 17:03:32 CMD: UID=0     PID=86928  | 
2024/05/12 17:03:32 CMD: UID=0     PID=86747  | 
2024/05/12 17:03:32 CMD: UID=0     PID=86746  | 
2024/05/12 17:03:32 CMD: UID=1000  PID=78514  | /usr/lib64/firefox/firefox -contentproc -childID 110 -isForBrowser -prefsLen 33806 -prefMapSize 242646 -jsInitLen 240916 -parentBuildID 20240419092950 -appDir /usr/lib64/firefox/browser {b17208ca-e9ed-4141-8b72-9cb841a2b64b} 3031 tab 
2024/05/12 17:03:32 CMD: UID=0     PID=76766  | 
2024/05/12 17:03:32 CMD: UID=0     PID=73857  | 
2024/05/12 17:03:32 CMD: UID=1000  PID=73788  | /usr/lib64/firefox/firefox -contentproc -childID 109 -isForBrowser -prefsLen 33806 -prefMapSize 242646 -jsInitLen 240916 -parentBuildID 20240419092950 -appDir /usr/lib64/firefox/browser {ef0d16cb-3e6f-4109-8f73-3749928adba2} 3031 tab 
2024/05/12 17:03:32 CMD: UID=0     PID=73781  | 
2024/05/12 17:03:32 CMD: UID=1000  PID=69912  | /usr/lib64/xfce4/xfconf/xfconfd 
2024/05/12 17:03:32 CMD: UID=1000  PID=65328  | /usr/lib64/firefox/firefox -contentproc -childID 108 -isForBrowser -prefsLen 33740 -prefMapSize 242646 -jsInitLen 240916 -parentBuildID 20240419092950 -appDir /usr/lib64/firefox/browser {dda1ad9d-b04e-4300-9da6-5e0a85fa8235} 3031 tab 
2024/05/12 17:03:32 CMD: UID=0     PID=34094  | 
2024/05/12 17:03:32 CMD: UID=0     PID=32035  | 
2024/05/12 17:03:32 CMD: UID=0     PID=31881  | 
2024/05/12 17:03:32 CMD: UID=0     PID=24271  | 
2024/05/12 17:03:32 CMD: UID=0     PID=18428  | 
2024/05/12 17:03:32 CMD: UID=0     PID=15886  | 
2024/05/12 17:03:32 CMD: UID=0     PID=15874  | 
2024/05/12 17:03:32 CMD: UID=0     PID=15867  | 
2024/05/12 17:03:32 CMD: UID=0     PID=15049  | 
2024/05/12 17:03:32 CMD: UID=0     PID=15048  | 
2024/05/12 17:03:32 CMD: UID=0     PID=12600  | 
2024/05/12 17:03:32 CMD: UID=0     PID=12522  | 
2024/05/12 17:03:32 CMD: UID=0     PID=11876  | 
2024/05/12 17:03:32 CMD: UID=0     PID=11044  | 
2024/05/12 17:03:32 CMD: UID=0     PID=10606  | 
2024/05/12 17:03:32 CMD: UID=0     PID=10507  | 
2024/05/12 17:03:32 CMD: UID=0     PID=10477  | bash 
2024/05/12 17:03:32 CMD: UID=0     PID=10471  | su 
2024/05/12 17:03:32 CMD: UID=1000  PID=10377  | -bash 
2024/05/12 17:03:32 CMD: UID=0     PID=10281  | 
2024/05/12 17:03:32 CMD: UID=0     PID=10177  | 
2024/05/12 17:03:32 CMD: UID=0     PID=10169  | 
2024/05/12 17:03:32 CMD: UID=0     PID=10107  | 
2024/05/12 17:03:32 CMD: UID=0     PID=9617   |

This would be very useful for monitoring any filesystem changes caused by a certain process.

Download from the GitHub.

(jcartwright@2403-4800-25af-b00--2) 192.168.1.5 Documents  $ git clone https://github.com/DominicBreuker/pspy.git
Cloning into 'pspy'...
remote: Enumerating objects: 1126, done.
remote: Counting objects: 100% (141/141), done.
remote: Compressing objects: 100% (31/31), done.
remote: Total 1126 (delta 122), reused 110 (delta 110), pack-reused 985
Receiving objects: 100% (1126/1126), 9.28 MiB | 5.65 MiB/s, done.
Resolving deltas: 100% (523/523), done.

Download a compiled binary: https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64.

This application uses the notify API for Linux to monitor changes in processes and the filesystem, this does not require root access. If you run pspy with no parameters, it will list all Linux processes. Processes are listed in order of the PID. A process with a PID of over 1000 will be at the top. A process with a PID of 1 will be at the bottom. But this is a great application. You may run a Linux command and see filesystem changes in the directories [/usr,/tmp,/etc,/home,/var,/opt].

This is how only to view filesystem events in /tmp.

(jcartwright@2403-4800-25af-b00--2) 192.168.1.5 Documents  $ pspy64 -f -r /tmp -p=false
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=false | file-system-events=true ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/tmp] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/05/12 17:34:12 FS:           CREATE DIR | /tmp/systemd-private-5c57a154dfdb411cbc411edcdc85ae54-systemd-hostnamed.service-QSuFTJ
2024/05/12 17:34:12 FS:             OPEN DIR | /tmp/
2024/05/12 17:34:12 FS:    CLOSE_NOWRITE DIR | /tmp/
2024/05/12 17:34:12 FS:             OPEN DIR | /tmp/
2024/05/12 17:34:12 FS:    CLOSE_NOWRITE DIR | /tmp/
2024/05/12 17:34:19 FS:               CREATE | /tmp/fileme
2024/05/12 17:34:19 FS:                 OPEN | /tmp/fileme
2024/05/12 17:34:19 FS:               ATTRIB | /tmp/fileme
2024/05/12 17:34:19 FS:          CLOSE_WRITE | /tmp/fileme

This was just creating a simple file, but it shows up all the same.

(jcartwright@2403-4800-25af-b00--2) 192.168.1.5 Documents  $ cd /tmp/
(jcartwright@2403-4800-25af-b00--2) 192.168.1.5 tmp  $ touch fileme

But this will also show Systemd temporary files as well.

(jcartwright@2403-4800-25af-b00--2) 192.168.1.5 Documents  $ pspy64 -f -r /tmp -p=false
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=false | file-system-events=true ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/tmp] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2024/05/12 17:34:12 FS:           CREATE DIR | /tmp/systemd-private-5c57a154dfdb411cbc411edcdc85ae54-systemd-hostnamed.service-QSuFTJ
2024/05/12 17:34:12 FS:             OPEN DIR | /tmp/
2024/05/12 17:34:12 FS:    CLOSE_NOWRITE DIR | /tmp/
2024/05/12 17:34:12 FS:             OPEN DIR | /tmp/
2024/05/12 17:34:12 FS:    CLOSE_NOWRITE DIR | /tmp/
2024/05/12 17:34:19 FS:               CREATE | /tmp/fileme
2024/05/12 17:34:19 FS:                 OPEN | /tmp/fileme
2024/05/12 17:34:19 FS:               ATTRIB | /tmp/fileme
2024/05/12 17:34:19 FS:          CLOSE_WRITE | /tmp/fileme
2024/05/12 17:34:42 FS:             OPEN DIR | /tmp/systemd-private-5c57a154dfdb411cbc411edcdc85ae54-systemd-hostnamed.service-QSuFTJ
2024/05/12 17:34:42 FS:           ACCESS DIR | /tmp/systemd-private-5c57a154dfdb411cbc411edcdc85ae54-systemd-hostnamed.service-QSuFTJ
2024/05/12 17:34:42 FS:           ACCESS DIR | /tmp/systemd-private-5c57a154dfdb411cbc411edcdc85ae54-systemd-hostnamed.service-QSuFTJ
2024/05/12 17:34:42 FS:    CLOSE_NOWRITE DIR | /tmp/systemd-private-5c57a154dfdb411cbc411edcdc85ae54-systemd-hostnamed.service-QSuFTJ
2024/05/12 17:34:42 FS:           DELETE DIR | /tmp/systemd-private-5c57a154dfdb411cbc411edcdc85ae54-systemd-hostnamed.service-QSuFTJ

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.