4

Possible Duplicate:
Is it possible to find out what program or script created a given file?

Can I find somewhere in logs the times of creation of hidden files or directories under the /home/username/ directory?

If not, can I use some application to log this for me? It should contain time of creation, file or directory name and who created it (app or user) sorted by time and date.

Improve this question
5
  • 2
    Seems to cry for LoggedFS - FS monitoring with FUSE; see this for configuration. Commented May 9, 2012 at 15:05
  • I usually simply check the backup log. New files automatically appear in that logfile every night. Commented May 9, 2012 at 18:29
  • What is "hidden"? Commented May 9, 2012 at 20:42
  • @Nils files or directories beginning with . They are often created by some applications. Commented May 9, 2012 at 20:43
  • ok - since these are "normal" files and directories with respect to the filesystem, you can read their timestamps etc. with stat, too. Commented May 9, 2012 at 20:50

2 Answers 2

Reset to default
6

Specific for Linux, the auditd package should be able to provide the information you are looking for. It uses the audit functionality provided by the 2.6 and later kernel. Here is a Quick Start which is specific to SLES, but will give you an idea of how auditd works and how to configure it.

From the auditctl man page:

-w path
    Insert  a  watch for the file system object at path. You cannot insert
    a watch to the top level directory. This is prohibited by the  kernel. 
    Wildcards  are not supported either and will generate a warning. The way
    that watches work is by tracking the inode internally. If you place a 
    watch on a file, its the same as  using  the  -F  path  option  on a 
    syscall rule. If you place a watch on a directory, its the same as using
    the -F dir option on a syscall rule.  The  -w form  of  writing watches 
    is for backwards compatibility and the syscall based form is more
    expressive. Unlike most syscall auditing rules,  watches  do  not impact
    performance  based on the number of rules sent to the kernel. The only 
    valid options when using a watch are the -p and -k. If you  need to     
    anything fancy like audit a specific user accessing a file, then use 
    the syscall auditing form with the path or dir fields.
Improve this answer
2
  • Also available in OSX, but the options are a bit different, as per usual. Commented May 9, 2012 at 15:49
  • 3
    Audit is not able to filter for hidden files only. But you can run reports afterwards to do the filtering. Commented May 9, 2012 at 16:24
3

There is no log file which contains information about hidden files or directories in your home directory. But you can see the creation time of the files/directories using for example ls -l -c or stat <file>.

Beside auditd, which uther mentioned in his answer, there is inotifywait from the inotify-tools package to watch any changes in a directory in Linux.

To monitor any file/directory creations in your home directory run

inotifywait -m -e create $HOME

To watch changes in subdirectories, add the -r flag.

inotifywait does not display the program which actually does the change.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.