I know that you can use lsof (in Linux at least) to check which process has got a particular file opened currently, but is there anyway to find out which process created a particular file originally? Or even which process wrote/modified a particular file most recently?
How to find out which process created a particular file
filesprocess
Related Topic
- How to Identify Processes Generating UDP Traffic on Linux
- How to determine which TCP/UDP ports are being opened by a given process (linux)
- Linux – how to find suspicious process details and its command line arguments
- Linux – How to know which user killed a process
- Linux – How todentify an anonymous process that’s changing a system setting
- How to Find Out What Service Is Listening on a Specific Port of a Ubuntu Server Without Process ID
Best Answer
Auditd would help with this. See http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/ for an introduction.