0

Suppose there's a file that keeps appearing in my home directory automatically even after I delete it. Knowing nothing more about it, is there a way to figure how what keeps putting that file there? Is there a way to track down the program/process that creates it?

Mike Pierce
  • 757

1 Answers1

2

One option is to use sysdig: an open-source system monitoring application. Using it, you can monitor for activity on a file by name. Suppose that you wanted to see what process was creating a file named /tmp/example.txt:

# sysdig fd.name=/tmp/example.txt
567335 16:18:39.654437223 0 touch (5470) < openat fd=3(<f>/tmp/example.txt) dirfd=-100(AT_FDCWD) name=/tmp/example.txt flags=70(O_NONBLOCK|O_CREAT|O_WRONLY) mode=0666
567336 16:18:39.654438248 0 touch (5470) > dup fd=3(<f>/tmp/example.txt)
567337 16:18:39.654438592 0 touch (5470) < dup res=0(<f>/tmp/example.txt)
567338 16:18:39.654439629 0 touch (5470) > close fd=3(<f>/tmp/example.txt)
567339 16:18:39.654439764 0 touch (5470) < close res=0
567342 16:18:39.654441958 0 touch (5470) > close fd=0(<f>/tmp/example.txt)
567343 16:18:39.654442111 0 touch (5470) < close res=0

From that output, you can see that a process named touch with pid 5470 opened the file.

If you want more information, you could run in "capture mode" where a system call trace is collected:

# sysdig -w /tmp/dumpfile.scap

Then wait for the file to be created, then stop sysdig and run:

# csysdig -r /tmp/dumpfile.scap

That'll let you explore everything that happened. You can press <F2> and select Files, the press <F4> to search for the filename, then press <F6> to "dig" (which will show you output similar to the command above). With that, you can then use the same approach to find information about the process that actually created the file.

There's a GUI version of csysdig called sysdig-inspect, if that's more your cup of tea.

Andy Dalton
  • 13,993