fanotify

Linux文件事件监控之Fanotify [一] - 知乎 (zhihu.com)

Linux 5.1

Linux 5.1

FAN_ACCESS
              A file or a directory (but see BUGS) was accessed (read).

       FAN_OPEN
              A file or a directory was opened.

       FAN_OPEN_EXEC
              A file was opened with the intent to be executed.  See
              NOTES in fanotify_mark(2) for additional details.

       FAN_ATTRIB
              A file or directory metadata was changed.

       FAN_CREATE
              A child file or directory was created in a watched parent.

       FAN_DELETE
              A child file or directory was deleted in a watched parent.

       FAN_DELETE_SELF
              A watched file or directory was deleted.

       FAN_MOVED_FROM
              A file or directory has been moved from a watched parent
              directory.

       FAN_MOVED_TO
              A file or directory has been moved to a watched parent
              directory.

       FAN_MOVE_SELF
              A watched file or directory was moved.

       FAN_MODIFY
              A file was modified.

       FAN_CLOSE_WRITE
              A file that was opened for writing (O_WRONLY or O_RDWR)
              was closed.

       FAN_CLOSE_NOWRITE
              A file or directory that was opened read-only (O_RDONLY)
              was closed.

       FAN_Q_OVERFLOW
              The event queue exceeded the limit of 16384 entries.  This
              limit can be overridden by specifying the
              FAN_UNLIMITED_QUEUE flag when calling fanotify_init(2).

       FAN_ACCESS_PERM
              An application wants to read a file or directory, for
              example using read(2) or readdir(2).  The reader must
              write a response (as described below) that determines
              whether the permission to access the filesystem object
              shall be granted.

       FAN_OPEN_PERM
              An application wants to open a file or directory.  The
              reader must write a response that determines whether the
              permission to open the filesystem object shall be granted.

       FAN_OPEN_EXEC_PERM
              An application wants to open a file for execution.  The
              reader must write a response that determines whether the
              permission to open the filesystem object for execution
              shall be granted.  See NOTES in fanotify_mark(2) for
              additional details.

       To check for any close event, the following bit mask may be used:

       FAN_CLOSE
              A file was closed.  This is a synonym for:

                  FAN_CLOSE_WRITE | FAN_CLOSE_NOWRITE

       To check for any move event, the following bit mask may be used:

       FAN_MOVE
              A file or directory was moved.  This is a synonym for:

                  FAN_MOVED_FROM | FAN_MOVED_TO

       The following bits may appear in mask only in conjunction with
       other event type bits:

       FAN_ONDIR

下列文章说道，inotify不可以监控文件是哪个进程修改，而fanortify可以，并且inotify也不能监控/proc，因为inotify监控inode 

自动化反弹Shell防御技术 - 腾讯云开发者社区-腾讯云 (tencent.com)