How to determine which process is creating a file? [duplicate]
I thought one of the inotify_tools (inotifywatch or inotifywait) would do this kind of thing. These tools are great if you want to know when a filesystem event happens, but it doesn’t look like you can get a pid from inotify.
You could do inotifywait $file ; lsof -r1 $file , though. It’s much better than running while loops or using watch .
5 Answers 5
The lsof command (already mentioned in several answers) will tell you what process has a file open at the time you run it. lsof is available for just about every unix variant.
lsof won’t tell you about file that were opened two microseconds ago and closed one microsecond ago. If you need to watch a particular file and react when it is accessed, you need different tools.
If you can plan a little in advance, you can put the file on a LoggedFS filesystem. LoggedFS is a FUSE stacked filesystem that logs all accesses to files in a hierarchy. The logging parameters are highly configurable. FUSE is available on all major unices. You’ll want to log accesses to the directory where the file is created. Start with the provided sample configuration file and tweak it according to this guide.
loggedfs -l /path/to/log_file -c /path/to/config.xml /path/to/directory tail -f /path/to/log_file Many unices offer other monitoring facilities. Under Linux, you can use the relatively new audit subsystem. There isn’t much literature about it (but more than about loggedfs); you can start with this tutorial or a few examples or just with the auditctl man page. Here, it should be enough to make sure the daemon is started, then run auditctl :
(I think older systems need auditctl -a exit,always -w /path/to/file ) and watch the logs in /var/log/audit/audit.log .
How can you figure out which program/process is creating a file? [duplicate]
Suppose there’s a file that keeps appearing in my home directory automatically even after I delete it. Knowing nothing more about it, is there a way to figure how what keeps putting that file there? Is there a way to track down the program/process that creates it?
1 Answer 1
One option is to use sysdig : an open-source system monitoring application. Using it, you can monitor for activity on a file by name. Suppose that you wanted to see what process was creating a file named /tmp/example.txt :
# sysdig fd.name=/tmp/example.txt 567335 16:18:39.654437223 0 touch (5470) < openat fd=3(/tmp/example.txt) dirfd=-100(AT_FDCWD) name=/tmp/example.txt flags=70(O_NONBLOCK|O_CREAT|O_WRONLY) mode=0666 567336 16:18:39.654438248 0 touch (5470) > dup fd=3(/tmp/example.txt) 567337 16:18:39.654438592 0 touch (5470) < dup res=0(/tmp/example.txt) 567338 16:18:39.654439629 0 touch (5470) > close fd=3(/tmp/example.txt) 567339 16:18:39.654439764 0 touch (5470) < close res=0 567342 16:18:39.654441958 0 touch (5470) >close fd=0(/tmp/example.txt) 567343 16:18:39.654442111 0 touch (5470) < close res=0 From that output, you can see that a process named touch with pid 5470 opened the file.
If you want more information, you could run in "capture mode" where a system call trace is collected:
Then wait for the file to be created, then stop sysdig and run:
# csysdig -r /tmp/dumpfile.scap That'll let you explore everything that happened. You can press and select Files , the press to search for the filename, then press to "dig" (which will show you output similar to the command above). With that, you can then use the same approach to find information about the process that actually created the file.
There's a GUI version of csysdig called sysdig-inspect , if that's more your cup of tea.
Is it possible to find out what program or script created a given file?
Three files have suddenly appeared in my home directory, called "client_state.xml", "lockfile", and "time_stats_log". The last two are empty. I'm wondering how they got there. It's not the first time it has happened, but the last time was weeks ago; I deleted the files and nothing broke or complained. I haven't been able to think of what I was doing at the time reported by stat $filename . Is there any way I can find out where they came from? Alternatively, is there a way to monitor the home directory (but not sub-directories) for the creation of files?
7 Answers 7
You can watch everything that happens on a filesystem by accessing it over LoggedFS. This is a stacked filesystem that logs every access in a directory tree.
loggedfs -l /var/tmp/$USER-home-fs.log ~ Logging your whole home directory might slow your system down though. You'll at least want to write a configuration file with stringent filters.
If you have root access, on Linux, you can use the audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl . Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:
auditctl -a exit,always -F path=/path/to/file If you put a watch on a directory (with -w or -F dir= ), the files in it and its subdirectories recursively are also watched.
The problem with auditd is that in a typical stock configuration, the log file might be written over before you examine it, because the default limit of an 8MB log file is very small.
The opposite action of the -w I don't believe there is a way to determine which program created a file. For your alternative question: You can watch for the file to be recreated, though, using inotify . inotifywait is a command-line interface for the inotify subsystem; you can tell it to look for create events in your home directory: You probably want to run it with -m (monitor), which tells it not to exit after it sees the first event @Wolf What distro? If you build your own kernel, it's CONFIG_INOTIFY_USER ( Filesystems -> Inotify support for userspace ). inotifywait is probably in a package named something like inotify-tools @Michael, it's openSUSE 11.3. I've never built a kernel; have only been using Linux about 5 months and it's a bit of a daunting concept. But I'll look around for a tutorial or something. @Michael Actually, after a little more hunting and research, I added a community repository which, it turns out, contains the inotify-tools package, so I now have inotifywait (and inotifywatch ). I tested it out and it seems to work. I know this is an old question, but I'll suggest another approach just in case someone finds it useful. I originally posted this as an answer to a question that was duped to this one. One option is to use sysdig : an open-source system monitoring application. Using it, you can monitor for activity on a file by name. Suppose that you wanted to see what process was creating a file named /tmp/example.txt : From that output, you can see that a process named touch with pid 5470 opened the file. If you want more information, you could run in "capture mode" where a system call trace is collected: Then wait for the file to be created, then stop sysdig and run: That'll let you explore everything that happened. You can press and select Files , the press to search for the filename, then press to "dig" (which will show you output similar to the command above). With that, you can then use the same approach to find information about the process that actually created the file. There's a GUI version of csysdig called sysdig-inspect , if that's more your cup of tea. there are two Linux Servers one is Ubuntu14 and the other is Centos7. when users connect with ssh and work, we found some files like below: I couldn't find any tools to find which process creates it. are my servers infected? You can't retrospectively determine what process created a file. You have to monitor the system while the file is created. Use auditd to help you out. Once it's installed and running, run the following as root from the directory listed above: Once you've seen that the file(s) have been created or modified, run the following: You should see output with records that are delimited by breaks ( ---- ). I see the following having setup a watch on /home/attie/testing , and then using touch to create/update it: Note the following key pieces of information: Once you've established what's going on, you'll want to remove the rule(s) - this will delete all rules:$ (sleep 5; touch ~/making-a-test-file) & [1] 22526 $ inotifywait -e create ~/ Setting up watches. Watches established. /home/mmrozek/ CREATE making-a-test-file # sysdig fd.name=/tmp/example.txt 567335 16:18:39.654437223 0 touch (5470) < openat fd=3(/tmp/example.txt) dirfd=-100(AT_FDCWD) name=/tmp/example.txt flags=70(O_NONBLOCK|O_CREAT|O_WRONLY) mode=0666 567336 16:18:39.654438248 0 touch (5470) > dup fd=3(/tmp/example.txt) 567337 16:18:39.654438592 0 touch (5470) < dup res=0(/tmp/example.txt) 567338 16:18:39.654439629 0 touch (5470) > close fd=3(/tmp/example.txt) 567339 16:18:39.654439764 0 touch (5470) < close res=0 567342 16:18:39.654441958 0 touch (5470) >close fd=0(/tmp/example.txt) 567343 16:18:39.654442111 0 touch (5470) < close res=0 # csysdig -r /tmp/dumpfile.scap Monitor which process create a file
1 Answer 1
auditctl -w "$(pwd)/1" auditctl -w "$(pwd)/=1" time->Mon Sep 10 14:41:07 2018 type=PROCTITLE msg=audit(1536586867.166:1192): proctitle=746F7563680074657374696E67 type=PATH msg=audit(1536586867.166:1192): item=1 name="testing" inode=8442 dev=00:b8 mode=0100644 ouid=1000 ogid=1000 rdev=00:00 nametype=CREATE type=PATH msg=audit(1536586867.166:1192): item=0 name="/home/attie" inode=4 dev=00:b8 mode=040701 ouid=1000 ogid=1000 rdev=00:00 nametype=PARENT type=CWD msg=audit(1536586867.166:1192): cwd="/home/attie" type=SYSCALL msg=audit(1536586867.166:1192): arch=c000003e syscall=2 success=yes exit=3 a0=7ffc35557634 a1=941 a2=1b6 a3=69d items=2 ppid=25572 pid=31301 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=24669 comm="touch" exe="/bin/touch" key=(null)