I'm looking for a way to monitor when a file/folder is moved, as well as where it was moved to.
So far in my research I've come across tools such as auditd, watch and inotify. While these tools are great at monitoring when a file moves, they don't keep track of where the file moved to.
I have also looked at the syslogs generated when a file is moved but they are painful to read/parse.
Are there any tools out there than can perform this function? Or should I start writing my own script?
Best Answer
I was able to get the functionality to work with
auditd.The following command monitors
auditctl -a always,exit -F arch=b64 -S rename,rmdir,unlink,unlinkat,renameat -F dir=/path/to/folder/to/monitor -F key=DONT_MOVEThe key can be any string of your choice, and will be used to filter audit logs for this specific entry.
For persistence, you can append the above string without
auditctlto/etc/audit/audit.rules.To check if/where the folder moved, run
ausearch -k DONT_MOVE. The logs are not very human friendly, but they do list the timestamp and to/from paths.