Is it possible to find out what program or script created a given file?

Question

Three files have suddenly appeared in my home directory, called "client_state.xml", "lockfile", and "time_stats_log". The last two are empty. I'm wondering how they got there. It's not the first time it has happened, but the last time was weeks ago; I deleted the files and nothing broke or complained. I haven't been able to think of what I was doing at the time reported by stat $filename. Is there any way I can find out where they came from?

Alternatively, is there a way to monitor the home directory (but not sub-directories) for the creation of files?

Answer 1

You can watch everything that happens on a filesystem by accessing it over LoggedFS. This is a stacked filesystem that logs every access in a directory tree.

loggedfs -l /var/tmp/$USER-home-fs.log ~

Logging your whole home directory might slow your system down though. You'll at least want to write a configuration file with stringent filters.

If you have root access, on Linux, you can use the audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl. Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:

auditctl -w /path/to/file

or in the long form

auditctl -a exit,always -F path=/path/to/file

If you put a watch on a directory (with -w or -F dir=), the files in it and its subdirectories recursively are also watched.

Answer 2

I don't believe there is a way to determine which program created a file.

For your alternative question: You can watch for the file to be recreated, though, using inotify. inotifywait is a command-line interface for the inotify subsystem; you can tell it to look for create events in your home directory:

$ (sleep 5; touch ~/making-a-test-file) &
[1] 22526

$ inotifywait -e create ~/
Setting up watches.
Watches established.
/home/mmrozek/ CREATE making-a-test-file

You probably want to run it with -m (monitor), which tells it not to exit after it sees the first event

Answer 3

I know this is an old question, but I'll suggest another approach just in case someone finds it useful. I originally posted this as an answer to a question that was duped to this one.

One option is to use sysdig: an open-source system monitoring application. Using it, you can monitor for activity on a file by name. Suppose that you wanted to see what process was creating a file named /tmp/example.txt:

# sysdig fd.name=/tmp/example.txt
567335 16:18:39.654437223 0 touch (5470) < openat fd=3(<f>/tmp/example.txt) dirfd=-100(AT_FDCWD) name=/tmp/example.txt flags=70(O_NONBLOCK|O_CREAT|O_WRONLY) mode=0666
567336 16:18:39.654438248 0 touch (5470) > dup fd=3(<f>/tmp/example.txt)
567337 16:18:39.654438592 0 touch (5470) < dup res=0(<f>/tmp/example.txt)
567338 16:18:39.654439629 0 touch (5470) > close fd=3(<f>/tmp/example.txt)
567339 16:18:39.654439764 0 touch (5470) < close res=0
567342 16:18:39.654441958 0 touch (5470) > close fd=0(<f>/tmp/example.txt)
567343 16:18:39.654442111 0 touch (5470) < close res=0

From that output, you can see that a process named touch with pid 5470 opened the file.

If you want more information, you could run in "capture mode" where a system call trace is collected:

# sysdig -w /tmp/dumpfile.scap

Then wait for the file to be created, then stop sysdig and run:

# csysdig -r /tmp/dumpfile.scap

That'll let you explore everything that happened. You can press <F2> and select Files, the press <F4> to search for the filename, then press <F6> to "dig" (which will show you output similar to the command above). With that, you can then use the same approach to find information about the process that actually created the file.

There's a GUI version of csysdig called sysdig-inspect, if that's more your cup of tea.

Answer 4

You might want to take a look at auditd, this package allows you to do security auditing, and get a lot of information about who changed what in the filesystem.

Answer 5

You haven't got inotify so you can write a script that checks for the file in a loop:

#!/bin/sh

while [ true ]; do                     # Run for as long as nessesary
  if [ -f /path/to/file ]; then        # If fileexists
    echo "Found file"                  # Notify and stop monitoring
    exit 0
  fi
  sleep 5                             # Else wait 5 secs
done

Answer 6

You can use the Linux Audit System to get information and events occurring on files.

touch hello.txt
sudo auditd
sudo auditctl -w $PWD/hello.txt -p warx -k hello-file
echo 'hello world' > hello.txt
sudo ausearch -k hello-file

Answer 7

You can use inotifywait in conjunction with lsof to figure out what process has created a file if you're able to run the following command ahead of time - i.e. waiting for the file to be created. Assuming you don't know the filename, but you do know the directory, you would use this command:

inotifywait -e create /tmp | tee /dev/stderr | grep CREATE | cut -d ' ' -f 3 | xargs -I {} lsof /tmp/{}

Replace the two instances of /tmp with the absolute path to the directory you want to watch.

Answer 8

After creating the rule with

auditctl -w /home/me/mysterious_file -k watch_for_mysterious_file

I use this script to get desktop notifications via notify-send:

#!/bin/bash

# /usr/local/bin/audit-monitor.sh

user_to_notify="me"

# Audit key that ausearch uses
audit_key="watch_for_mysterious_file"

# File to store the time after which ausearch should look for events.
# On exiting this script, we'll update the file with the current date and time
last_run_file="/tmp/last_audit_check"

# Initialize the last run time if it doesn't exist,
# we can use ausearch's special time values here such as
# "yesterday", "this-year", "recent", etc.
if [ ! -f "$last_run_file" ]; then
    echo yesterday > "$last_run_file"
fi

# Search the audit log for entries with the specified key after the last run time.
# We need to pass the line from last_run_file without quotes so --start gets two parameters: the date and the time separated
new_events=$(ausearch -k "$audit_key" --start $(cat "$last_run_file"))

# If there are new events send a notification to the specified user
if [[ -n "$new_events" ]]; then

  # Get the executable names that caused the new events, separated by commas
  exe_names=$(grep -oP 'exe="\K[^"]+' <<< "$new_events" | sort | uniq | sed -z 's/\n/, /g; s/, $/\n/')

  id_of_user_to_notify=$(id -u "$user_to_notify")

  sudo -u "$user_to_notify" DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/"$id_of_user_to_notify"/bus notify-send "Audit Event Triggered" "New event detected for key: $audit_key. Executable names: $exe_names"
  echo "New event detected for key: $audit_key"
fi

# Update the last run time, see "man ausearch" for the right date and time format
date '+%x %H:%M:%S' > "$last_run_file"

Then, I created a systemd service that calls the script:

# /etc/systemd/system/audit-monitor.service
[Unit]
Description=Audit Event Monitoring Service
After=auditd.service

[Service]
Type=oneshot
ExecStart=/usr/local/bin/audit-monitor.sh

The timer runs every minute:

# /etc/systemd/system/audit-monitor.timer
[Unit]
Description=Run Audit Event Monitoring Script Periodically

[Timer]
OnCalendar=*:0/1

[Install]
WantedBy=timers.target

Enable and start the timer with

systemctl daemon-reload && systemctl enable --now audit-monitor.timer

If auditd is not yet enabled and running:

systemctl enable --now auditd.service