Is it possible to find out what program or script created a given file?
Three files have suddenly appeared in my home directory, called «client_state.xml», «lockfile», and «time_stats_log». The last two are empty. I’m wondering how they got there. It’s not the first time it has happened, but the last time was weeks ago; I deleted the files and nothing broke or complained. I haven’t been able to think of what I was doing at the time reported by stat $filename . Is there any way I can find out where they came from? Alternatively, is there a way to monitor the home directory (but not sub-directories) for the creation of files?
7 Answers 7
You can watch everything that happens on a filesystem by accessing it over LoggedFS. This is a stacked filesystem that logs every access in a directory tree.
loggedfs -l /var/tmp/$USER-home-fs.log ~ Logging your whole home directory might slow your system down though. You’ll at least want to write a configuration file with stringent filters.
If you have root access, on Linux, you can use the audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl . Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:
auditctl -a exit,always -F path=/path/to/file If you put a watch on a directory (with -w or -F dir= ), the files in it and its subdirectories recursively are also watched.
The problem with auditd is that in a typical stock configuration, the log file might be written over before you examine it, because the default limit of an 8MB log file is very small.
The opposite action of the -w I don’t believe there is a way to determine which program created a file. For your alternative question: You can watch for the file to be recreated, though, using inotify . inotifywait is a command-line interface for the inotify subsystem; you can tell it to look for create events in your home directory: You probably want to run it with -m (monitor), which tells it not to exit after it sees the first event @Wolf What distro? If you build your own kernel, it’s CONFIG_INOTIFY_USER ( Filesystems -> Inotify support for userspace ). inotifywait is probably in a package named something like inotify-tools @Michael, it’s openSUSE 11.3. I’ve never built a kernel; have only been using Linux about 5 months and it’s a bit of a daunting concept. But I’ll look around for a tutorial or something. @Michael Actually, after a little more hunting and research, I added a community repository which, it turns out, contains the inotify-tools package, so I now have inotifywait (and inotifywatch ). I tested it out and it seems to work. I know this is an old question, but I’ll suggest another approach just in case someone finds it useful. I originally posted this as an answer to a question that was duped to this one. One option is to use sysdig : an open-source system monitoring application. Using it, you can monitor for activity on a file by name. Suppose that you wanted to see what process was creating a file named /tmp/example.txt : From that output, you can see that a process named touch with pid 5470 opened the file. If you want more information, you could run in "capture mode" where a system call trace is collected: Then wait for the file to be created, then stop sysdig and run: That'll let you explore everything that happened. You can press and select Files , the press to search for the filename, then press to "dig" (which will show you output similar to the command above). With that, you can then use the same approach to find information about the process that actually created the file. There's a GUI version of csysdig called sysdig-inspect , if that's more your cup of tea. Suppose there's a file that keeps appearing in my home directory automatically even after I delete it. Knowing nothing more about it, is there a way to figure how what keeps putting that file there? Is there a way to track down the program/process that creates it? One option is to use sysdig : an open-source system monitoring application. Using it, you can monitor for activity on a file by name. Suppose that you wanted to see what process was creating a file named /tmp/example.txt : From that output, you can see that a process named touch with pid 5470 opened the file. If you want more information, you could run in "capture mode" where a system call trace is collected: Then wait for the file to be created, then stop sysdig and run: That'll let you explore everything that happened. You can press and select Files , the press to search for the filename, then press to "dig" (which will show you output similar to the command above). With that, you can then use the same approach to find information about the process that actually created the file. There's a GUI version of csysdig called sysdig-inspect , if that's more your cup of tea. there are two Linux Servers one is Ubuntu14 and the other is Centos7. when users connect with ssh and work, we found some files like below: I couldn't find any tools to find which process creates it. are my servers infected? You can't retrospectively determine what process created a file. You have to monitor the system while the file is created. Use auditd to help you out. Once it's installed and running, run the following as root from the directory listed above: Once you've seen that the file(s) have been created or modified, run the following: You should see output with records that are delimited by breaks ( ---- ). I see the following having setup a watch on /home/attie/testing , and then using touch to create/update it: Note the following key pieces of information: Once you've established what's going on, you'll want to remove the rule(s) - this will delete all rules: You can use the fuser command, which is part of the psmisc package, like: You will receive a list of processes using the file. You can use different flags with it, in order to receive a more detailed output. You can find more info in the fuser's Wikipedia article, or in the man pages. @khris, might be that not all fuser implementations are the same, or works the same way. Even if -i is defined in POSIX, the particular implementation you are using does not necessarily has the same options as the ones described in the Wikipedia article. For example, I'm using AIX right now, and the fuser available in this system does not have the -i option either. For some reason, neither fuser nor lsof were working for me on a virtualbox guest. This answer saved me. @jim's answer is correct -- fuser is what you want. Additionally (or alternately), you can use lsof to get more information including the username, in case you need permission (without having to run an additional command) to kill the process. (THough of course, if killing the process is what you want, fuser can do that with its -k option. You can have fuser use other signals with the -s option -- check the man page for details.) For example, with a tail -F /etc/passwd running in one window: Note that you can also use lsof to find out what processes are using particular sockets. An excellent tool to have in your arsenal.$ (sleep 5; touch ~/making-a-test-file) & [1] 22526 $ inotifywait -e create ~/ Setting up watches. Watches established. /home/mmrozek/ CREATE making-a-test-file # sysdig fd.name=/tmp/example.txt 567335 16:18:39.654437223 0 touch (5470) < openat fd=3(/tmp/example.txt) dirfd=-100(AT_FDCWD) name=/tmp/example.txt flags=70(O_NONBLOCK|O_CREAT|O_WRONLY) mode=0666 567336 16:18:39.654438248 0 touch (5470) > dup fd=3(/tmp/example.txt) 567337 16:18:39.654438592 0 touch (5470) < dup res=0(/tmp/example.txt) 567338 16:18:39.654439629 0 touch (5470) > close fd=3(/tmp/example.txt) 567339 16:18:39.654439764 0 touch (5470) < close res=0 567342 16:18:39.654441958 0 touch (5470) >close fd=0(/tmp/example.txt) 567343 16:18:39.654442111 0 touch (5470) < close res=0 # csysdig -r /tmp/dumpfile.scap How can you figure out which program/process is creating a file? [duplicate]
1 Answer 1
# sysdig fd.name=/tmp/example.txt 567335 16:18:39.654437223 0 touch (5470) < openat fd=3(/tmp/example.txt) dirfd=-100(AT_FDCWD) name=/tmp/example.txt flags=70(O_NONBLOCK|O_CREAT|O_WRONLY) mode=0666 567336 16:18:39.654438248 0 touch (5470) > dup fd=3(/tmp/example.txt) 567337 16:18:39.654438592 0 touch (5470) < dup res=0(/tmp/example.txt) 567338 16:18:39.654439629 0 touch (5470) > close fd=3(/tmp/example.txt) 567339 16:18:39.654439764 0 touch (5470) < close res=0 567342 16:18:39.654441958 0 touch (5470) >close fd=0(/tmp/example.txt) 567343 16:18:39.654442111 0 touch (5470) < close res=0 # csysdig -r /tmp/dumpfile.scap Monitor which process create a file
1 Answer 1
auditctl -w "$(pwd)/1" auditctl -w "$(pwd)/=1" time->Mon Sep 10 14:41:07 2018 type=PROCTITLE msg=audit(1536586867.166:1192): proctitle=746F7563680074657374696E67 type=PATH msg=audit(1536586867.166:1192): item=1 name="testing" inode=8442 dev=00:b8 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE type=PATH msg=audit(1536586867.166:1192): item=0 name="/home/attie" inode=4 dev=00:b8 mode=040701 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT type=CWD msg=audit(1536586867.166:1192): cwd="/home/attie" type=SYSCALL msg=audit(1536586867.166:1192): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc35557634 a1=941 a2=1b6 a3=69d items=2 ppid=25572 pid=31301 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=24669 comm="touch" exe="/bin/touch" key=(null)
How find out which process is using a file in Linux?
ghoti@pc:~$ lsof | grep passwd tail 12470 ghoti 3r REG 251,0 2037 51515911 /etc/passwd