Monitor File or Directory Changes in Linux with Systemd

PowerADM.com / Uncategorized / Monitor File or Directory Changes in Linux with Systemd

To track changes to the Linux file system and report changes to apps, the inotify kernel subsystem can be used. For example, when a file or directory is created, modified, read, or deleted, inotify allows a specific action (command, script) to be executed.

In modern Linux distros based on systemd, it is much more convenient to use path units to track filesystem events. Essentially, this is a high-level layer on top of inotify that allows you to easily and conveniently create triggers for file system events.

Let’s create a simple systemd unit that will monitor file changes in the specified directory and perform a specific action (run a bash script). For example, we’re going to create a unit that monitors changes to /etc/passwd file and sends an email alert when the file is changed.

Create a shell script file:

$ sudo mcedit /usr/local/bin/passwd-change-alert.sh

#!/bin/bash
mail -S sendwait -s "passwd file changed on $(hostname)" admin@poweradm.com < /etc/passwd

Allow the script to run:

$ sudo chmod +x email-alert.sh

Create a system unit to run the script:

$ sudo mcedit /etc/systemd/system/passwd-change.service

[Unit]
Description="Send email alert"
[Service]
ExecStart=/usr/local/bin/passwd-change-alert.sh

Now, create a path unit:

$ sudo mcedit /etc/systemd/system/passwd-change.path

[Unit]
Description="Check for /etc/passwd changes"
[Path]
PathModified=/etc/passwd
Unit=passwd-change.service
[Install]
WantedBy=multi-user.target

systemd path units to track filesystem changes

  • PathModified – the unit should track changes to the file;
  • Unit – start the specified service when the file has been modified.
The systemd.path unit only works with local file systems. It doesn’t support mounted SMB folders (How to mount Windows shared folders in Linux) or remote NFS directories.

Update systemd configuration:

$ systemctl daemon-reload

Start the unit and add it to the startup:

$ sudo systemctl enable --now passwd-change.path

To view the trigger history of the file system, use the command:

$ sudo journalctl -u passwd-change.path

You can monitor various file system events in the systemd.path unit. Instead of the PathModified directive, you can use:

  • PathExists – check if the file exists;
  • PathExistsGlob – similar to the previous option, but you can specify files/directories by mask;
  • PathChanged – track file changes (triggered when saving changes);
  • PathModified – tracks file modification (the trigger is activated immediately, without waiting for the edit to finish);
  • DirectoryNotEmpty – monitors directory file creation. Additional options available here: MakeDirectory (if true – automatically create a destination directory), DirectoryMode (set permissions for the directory, default 0755).

Additional options:

  • TriggerLimitIntervalSec – the unit will not be triggered more often than the specified time (2 seconds by default)
  • TriggerLimitBurst – maximum number of unit activations per specified time (the default is 200). The unit will fail and not operate until restarted if this value is exceeded.

The [Path] section allows you to track multiple file system objects at the same time. The unit is started when any of the conditions are met.

Previously we had a look at other types of useful systemd units:

Leave a Reply

Your email address will not be published. Required fields are marked *