Logging hidden file creations

Question

Possible Duplicate:
Is it possible to find out what program or script created a given file?

Can I find somewhere in logs the times of creation of hidden files or directories under the /home/username/ directory?

If not, can I use some application to log this for me? It should contain time of creation, file or directory name and who created it (app or user) sorted by time and date.

Seems to cry for LoggedFS - FS monitoring with FUSE; see this for configuration. — sr_, May 09 '12 at 15:05
I usually simply check the backup log. New files automatically appear in that logfile every night. — jippie, May 09 '12 at 18:29
@Nils files or directories beginning with . They are often created by some applications. — xralf, May 09 '12 at 20:43
ok - since these are "normal" files and directories with respect to the filesystem, you can read their timestamps etc. with stat, too. — Nils, May 09 '12 at 20:50

George M · Accepted Answer · 2012-05-09T15:26:13.747

Specific for Linux, the auditd package should be able to provide the information you are looking for. It uses the audit functionality provided by the 2.6 and later kernel. Here is a Quick Start which is specific to SLES, but will give you an idea of how auditd works and how to configure it.

From the auditctl man page:

-w path
    Insert  a  watch for the file system object at path. You cannot insert
    a watch to the top level directory. This is prohibited by the  kernel. 
    Wildcards  are not supported either and will generate a warning. The way
    that watches work is by tracking the inode internally. If you place a 
    watch on a file, its the same as  using  the  -F  path  option  on a 
    syscall rule. If you place a watch on a directory, its the same as using
    the -F dir option on a syscall rule.  The  -w form  of  writing watches 
    is for backwards compatibility and the syscall based form is more
    expressive. Unlike most syscall auditing rules,  watches  do  not impact
    performance  based on the number of rules sent to the kernel. The only 
    valid options when using a watch are the -p and -k. If you  need to     
    anything fancy like audit a specific user accessing a file, then use 
    the syscall auditing form with the path or dir fields.

Also available in OSX, but the options are a bit different, as per usual. — Wojtek, May 09 '12 at 15:49
Audit is not able to filter for hidden files only. But you can run reports afterwards to do the filtering. — Matthew Ife, May 09 '12 at 16:24

score 2 · Answer 2 · answered May 09 '12 at 16:45

There is no log file which contains information about hidden files or directories in your home directory. But you can see the creation time of the files/directories using for example ls -l -c or stat <file>.

Beside auditd, which uther mentioned in his answer, there is inotifywait from the inotify-tools package to watch any changes in a directory in Linux.

To monitor any file/directory creations in your home directory run

inotifywait -m -e create $HOME

To watch changes in subdirectories, add the -r flag.

inotifywait does not display the program which actually does the change.

Logging hidden file creations

2 Answers2

Linked