Is it possible to find out what program or script created a given file?

You can watch everything that happens on a filesystem by accessing it over LoggedFS. This is a stacked filesystem that logs every access in a directory tree.

loggedfs -l /var/tmp/$USER-home-fs.log ~

Logging your whole home directory might slow your system down though. You'll at least want to write a configuration file with stringent filters.

If you have root access, on Linux, you can use the audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl. Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:

auditctl -w /path/to/file

or in the long form

auditctl -a exit,always -F path=/path/to/file

If you put a watch on a directory (with -w or -F dir=), the files in it and its subdirectories recursively are also watched.


I don't believe there is a way to determine which program created a file.

For your alternative question: You can watch for the file to be recreated, though, using inotify. inotifywait is a command-line interface for the inotify subsystem; you can tell it to look for create events in your home directory:

$ (sleep 5; touch ~/making-a-test-file) &
[1] 22526

$ inotifywait -e create ~/
Setting up watches.
Watches established.
/home/mmrozek/ CREATE making-a-test-file

You probably want to run it with -m (monitor), which tells it not to exit after it sees the first event


You might want to take a look at auditd, this package allows you to do security auditing, and get a lot of information about who changed what in the filesystem.