Recently I was debugging quite a convoluted bunch of daemons. That was an integration task with the goal to set proper permissions on temporary files used by them. I had to know what daemon is trying to access a certain file, and what user and group memberships are active for the daemon. There is a bunch of ways how to check what is accessing a file on Linux. The audit seemed to be the the most suitable one, as I did not know the exact timing for the access events.
Get things going I had to hook up a non-core repo on my CentOS 6.8 machine. Then to install audit with:
sudo yum install audit
Then start the daemon:
sudo service auditd start
Checked the audit daemon is actually running:
sudo service auditd status
Added the monitored rule:
auditctl -w /path/to/my/file -p rawx
The -w parameter sets which file or dir to monitor. If a directory is given, then all files and sub-dirs are going to be monitored.
The -p parameter enforces what exactly to monitor. I threw it all: r - for read, a - for append, w - for write, x - for execute.
The output can be found in /var/log/audit.log
Interestingly enough, there were no access events for that file until cut access permission down to just execute and set ownership to root:root. The idea was to proveke access error, and I knew the file is going to be read or written. Then the auditd threw an event of interest, so I could see what process tried to access file and the daemon's UID and GID among other info.
Another method could have been using inotify command line utility, which comes with the incron package. Will try it some other time. And last, but not least, all that goodness is available from kernel 2.6 and up, you maybe out of luck if you are running an older kernel.