Solved

finding which process created a given file

Posted on 2014-01-27
7
1,062 Views
Last Modified: 2014-02-03
Hi,
I ran a cronjob process which runs everyday at a certain time.
It creates some file in a directory.

Suppose i want to know the information other way. I have a file which was created by some process.. How do i find out the process id which created this file ?

Thanks
0
Comment
Question by:Rohit Bajaj
7 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39811439
You could use audit, if the process still writes to that file of course: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
0
 
LVL 22

Expert Comment

by:blu
ID: 39811728
The only way to find out what process made a file that already exists is if it still has the file open (but that may not be definitive since a different process might have opened it after it was created) or if auditing is turned on and there is an existing audit record.

On the other hand, if you know about a file that is repeatedly created, you can probably find the process as it creates it using file notification or the like.

If you really had the reverse situation of a cronjob and you found a file that is created repeatedly, you can often find the culprit by correlating the time of creation with the start time of all the scheduled cronjobs. Most cronjobs are relatively short lived.
0
 
LVL 14

Accepted Solution

by:
comfortjeanius earned 250 total points
ID: 39812109
You can look into:
lsof

Open in new window

Simply typing lsof will provide a list of all open files belonging to all active processes.

List processes which opened a specific file. You can list only the processes which opened a specific file, by providing the filename as arguments.
lsof /var/log/syslog

Open in new window


You can check the man pages for lsof; you also can look into auditctl man pages. This a utility to assist controlling the kernel’s audit system.  Here some examples and example2....
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 37

Assisted Solution

by:Gerwin Jansen
Gerwin Jansen earned 250 total points
ID: 39813576
Process ID's are re-used, I don't know of a way to find what process had created a file once the process isn't there anymore.

I'd just look at the owner of the file and the timestamp when it was created.

If you suspect a cronjob, you could set the output directory read-only. Then the cron-job fails and you will know which job created the file.

Another option would be to have the cron-job create an additional file named <cronjob_name>_<process_id>.log - this would give you cronjob, process id, timestamp.
0
 
LVL 13

Expert Comment

by:Sandy
ID: 39814469
#fuser filename
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 39815296
@Sandeep - fuser is only applicable when file is in use. It is of no use when the file is closed aleady ("find out the process id which created this file").
0
 
LVL 13

Expert Comment

by:Sandy
ID: 39831687
thanks Gerwin
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now