Linux – How to find out what what’s creating temporary files

auditdbashlinux

I notice a lot of empty files in /tmp with names similar to "/tmp/tmp.tMIHx17730". I run audit rule and I found out that mktemp is creating it which is not too helpful.

How do I find out which script calls mktemp to create these files? Can I capture parent process id/command line with auditd?

Update:
I believe I have the parent process id (ppid=17729), but the script quickly quits and I can't find the script. Can I setup auditd to get parent process command line as well?

Update 2:
Here is how I setup auditd to show whatwrites to tmp:

auditctl -w /tmp -k tmpfiles

Then:

ausearch  -k tmpfiles|grep "tmp."

Then I pick a file and I do

ausearch  -k tmpfiles -f /tmp/tmp.tMIHx17730

This shows me process which created the file and parent process pid. I need to set up some kind of process starting listener to catch what's the most recent process with that pid

Best Answer

ok. I found it like this:

setup auditd:

auditctl -w /tmp -k tmpfiles
auditctl -a task,always

Then search

ausearch  -k tmpfiles|grep "/tmp/tmp."

I get something like this:

Then I get ppid=5807 and search or the process:

ausearch -p 5807

I got something like

time->Thu Nov 12 12:14:34 2015
type=SYSCALL msg=audit(1447323274.234:2547064): arch=c000003e syscall=231 a0=1 a1=3c a2=1 a3=0 items=0 ppid=5772 pid=5807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=84330 comm="bitdefender-wra" exe="/bin/bash" key=(null)

Where exe="/bin/bash" is the executable and comm="bitdefender-wra" is the (truncated) command line.

So I simply run:

# locate bitdefender-wra
/usr/lib/MailScanner/bitdefender-wrapper

And there it is:

LogFile=$(mktemp) || { echo "$0: Cannot create temporary file" >&2; exit 1; }

I change this to:

LogFile=$(mktemp /tmp/bitdefender.XXXXXXXXXXXX) || { echo "$0: Cannot create temporary file" >&2; exit 1; }

In order to verify that this is the script that doesn't delete it's temporary files. There is rm -f $LogFile below, but there is also exit before that.

Keep in mind that there might be a better way. So I'll wait for someone to give the best way to find the parent with command line of a process that's creating tmp files. My way doesn't have much filters and creates way too big logs.

Related Solutions

Bash – Cannot cd to parent directory with cd dirname

To solve your problem I wrote a very basic script :

#!/bin/bash
cd /usr/local/share/pixmaps
pwd 
sleep 5
path=(dirname '/usr/local/shar/pixmaps')
echo $path
sleep 5

the output of pwd is fine

the output of path is dirname

Thus when you try cd $(dirname '/domain_directory_path/app_name') it tries to go to cd dirname ... which apparently is not there

As I find from one of the blogs with an analogus situation :

$ cd $(dirname $(find / -name unknownfile.txt  2>/dev/null | head -n 1))
$ pwd
/home/peter/status/2007/november

Thus, I think cd $($(dirname '/domain_directory_path/app_name')) should solve your problem

I tried the following script :

#!/bin/bash
cd /usr/local/share/pixmaps
pwd 
sleep 5
path=($(dirname '/usr/local/share/pixmaps'))
echo $path
sleep 5
cd /
pwd
sleep 5
cd $path
pwd

and the output is

/usr/local/share/pixmaps
/usr/local/share
/
/usr/local/share

One more thing

Doing a direct cd $($(dirname '/domain_directory_path/app_name')) did not work

Thus, I guess you will first need to extract the path to some variable (path in my script) and then cd to it, as I have done in my script

Regards

amRit

Linux – How to make check_nrpe wait for the remote script to finish executing

You can change the timeout by following the instructions here or searching timeout in the nrpe documentation, although I don't think this is your issue, or you'd see an error like this:

CHECK_NRPE: Socket timeout after 270 seconds.

There is also probably a nagios plugin that will return the data you want that has been written already.

Best Answer

Related Solutions

Bash – Cannot cd to parent directory with cd dirname

Linux – How to make check_nrpe wait for the remote script to finish executing

Related Topic