tools: Add dirwatch

We often need to monitor which processes in a directory have created and
modified files, especially in the /etc directory. For example, sometimes
the /etc/fstab is deleted by mistake, which causes the system to fail to
reboot.

The dirwatch tool can monitor the creation and deletion of all files in a
single directory, and can even capture the parent process when the verbose
(-V) message is displayed.

Terminal 1:

    $ sudo ./dirwatch.py -D /etc/

Terminal 2:

    $ sudo mkdir -p /etc/a/b/c/d/e/
    $ sudo touch /etc/a/b/c/d/e/readme
    $ sudo rm -rf /etc/a

Then, Terminal 1 shows:

    $ sudo ./dirwatch.py -D /etc/
    Tracing file remove ... Hit Ctrl-C to end
    TIME     PID      COMM         OPERATE  INODE        FILEPATH
    15:40:35 28094    mkdir        MKDIR    2015         /etc//a
    15:40:35 28094    mkdir        MKDIR    67426298     /etc//a/b
    15:40:35 28094    mkdir        MKDIR    134492307    /etc//a/b/c
    15:40:35 28094    mkdir        MKDIR    201858033    /etc//a/b/c/d
    15:40:35 28094    mkdir        MKDIR    2058         /etc//a/b/c/d/e
    15:40:46 28100    touch        CREATE   2059         /etc//a/b/c/d/e/readme
    15:40:57 28107    rm           UNLINK   2059         /etc//a/b/c/d/e/readme
    15:40:57 28107    rm           RMDIR    2058         /etc//a/b/c/d/e
    15:40:57 28107    rm           RMDIR    201858033    /etc//a/b/c/d
    15:40:57 28107    rm           RMDIR    134492307    /etc//a/b/c
    15:40:57 28107    rm           RMDIR    67426298     /etc//a/b
    15:40:57 28107    rm           RMDIR    2015         /etc//a

TODO: Not support symbol link yet.

Signed-off-by: Rong Tao <[email protected]>

man/man8/dirwatch.8

@@ -0,0 +1,73 @@
+.TH dirwatch 8  "2023-11-05" "USER COMMANDS"
+.SH NAME
+dirwatch \- Monitor directory file create and remove. Uses bcc/eBPF.
+.SH SYNOPSIS
+.B dirwatch
+.SH DESCRIPTION
+dirwatch monitor directory file create and remove.
+
+This program is also a basic example of bcc and tracepoint.
+
+Since this uses BPF, only the root user can use this tool.
+.SH REQUIREMENTS
+CONFIG_BPF and bcc.
+.SH OPTIONS
+.TP
+\-D, --directory DIRECTORY
+Specify directory to watch.
+.TP
+\-V, --verbose
+Show file/directory create and remove, and show parent task pid/comm
+.SH EXAMPLES
+.TP
+Monitor directory file create and remove
+#
+.B dirwatch
+.TP
+Trace /etc:
+#
+.B dirwatch \-D /etc
+.TP
+Trace /etc with verbose:
+#
+.B dirwatch \-D /etc -V
+.SH FIELDS
+.TP
+TIME
+A timestamp on the output, in "HH:MM:SS" format.
+.TP
+PID
+The process ID.
+.TP
+COMM
+The process COMM.
+.TP
+PPID
+The parent process COMM (-V).
+.TP
+PCOMM
+The parent process COMM (-V).
+.TP
+OPERATE
+File operation, support CREATE, MKDIR, UNLINK, RMDIR.
+.TP
+INOTE
+Inode number, see also 'stat -c %i'.
+.TP
+FILEPATH
+Show the file path.
+.SH SOURCE
+This is from bcc.
+.IP
+https://github.com/iovisor/bcc
+.PP
+Also look in the bcc distribution for a companion _examples.txt file
+containing example usage, output, and commentary for this tool.
+.SH OS
+Linux
+.SH STABILITY
+Unstable - in development.
+.SH AUTHOR
+Rong Tao <[email protected]>
+.SH SEE ALSO
+filelife(8), filegone(8)