fanotify_init - Linux


fanotify_init is a system call used to create an instance of a file notification group, known as a fanout. This group serves as a central point for monitoring file system events, allowing applications to receive notifications when specific operations occur on designated files or directories. Fanotify is particularly useful for security monitoring, real-time file synchronization, backup applications, and maintaining file system integrity.


fanotify_init(flags, event_f_flags, mark) -> fd

Required Arguments:

  • flags: Integer flags controlling fanout initialization.
  • event_f_flags: Integer flags governing the types of file system events to be monitored.

Optional Arguments:

  • mark: An arbitrary integer used to identify the fanout group. If omitted, a unique mark is automatically assigned.



  • FAN_CLASS_PRE_CONTENT: Monitor events prior to data modifications.
  • FAN_CLASS_CONTENT: Monitor events involving data modifications.
  • FAN_CLASS_NOTIF: Monitor events related to file notifications.
  • FAN_CLOEXEC: Close the fanout descriptor when the process exits.
  • FAN_NONBLOCK: Make the fanout descriptor non-blocking.


  • FAN_ACCESS: File access (read or write)
  • FAN_MODIFY: File modification (change in data or metadata)
  • FAN_ATTRIB: File attribute changes (e.g., permissions, timestamps)
  • FAN_OPEN: File open
  • FAN_CLOSE_WRITE: File close after write
  • FAN_CLOSE_NOWRITE: File close without write
  • FAN_REMOVE: File deletion


Simple File Event Monitoring:

fd = fanotify_init(FAN_CLASS_PRE_CONTENT, FAN_OPEN, 0)

Monitoring Specific Directory:

dir_fd ="/path/to/dir", os.O_RDONLY)
fd = fanotify_init(FAN_CLASS_PRE_CONTENT, FAN_OPEN, 0)
fanotify_mark(fd, FAN_MARK_ADD, dir_fd, FAN_OPEN)

Common Issues

  • Permission Denied: Ensure the user running the command has sufficient permissions to monitor the target file or directory.
  • Invalid Flags: Verify that the provided flags are valid and compatible.
  • File Descriptor Limit: The number of fanotify groups is limited by system resources. Exceeding this limit may result in failures.


  • inotifywait: Use fanotify with inotifywait to perform advanced file system event monitoring tasks.
  • logrotate: Integrate fanotify to monitor log file rotations and trigger appropriate actions.
  • Tripwire: Utilize fanotify for file integrity monitoring, notifying Tripwire of unauthorized changes.

Related Commands

  • fanotify_mark: Manage file notifications within a fanout group.
  • inotify: Monitor file system events using a different approach (event-based instead of group-based).