Is it possible to find out what program or script created a given file?
You can watch everything that happens on a filesystem by accessing it over LoggedFS. This is a stacked filesystem that logs every access in a directory tree.
loggedfs -l /var/tmp/$USER-home-fs.log ~
Logging your whole home directory might slow your system down though. You'll at least want to write a configuration file with stringent filters.
If you have root access, on Linux, you can use the audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd
daemon is started, then configure what you want to log with auditctl
. Each logged operation is recorded in /var/log/audit/audit.log
(on typical distributions). To start watching a particular file:
auditctl -w /path/to/file
or in the long form
auditctl -a exit,always -F path=/path/to/file
If you put a watch on a directory (with -w
or -F dir=
), the files in it and its subdirectories recursively are also watched.
I don't believe there is a way to determine which program created a file.
For your alternative question:
You can watch for the file to be recreated, though, using inotify
. inotifywait
is a command-line interface for the inotify
subsystem; you can tell it to look for create
events in your home directory:
$ (sleep 5; touch ~/making-a-test-file) &
[1] 22526
$ inotifywait -e create ~/
Setting up watches.
Watches established.
/home/mmrozek/ CREATE making-a-test-file
You probably want to run it with -m
(monitor), which tells it not to exit after it sees the first event
You might want to take a look at auditd
, this package allows you to do security auditing, and get a lot of information about who changed what in the filesystem.