I notice a lot of empty files in /tmp with names similar to "/tmp/tmp.tMIHx17730". I run audit rule and I found out that mktemp is creating it which is not too helpful.
How do I find out which script calls mktemp to create these files? Can I capture parent process id/command line with auditd?
Update:
I believe I have the parent process id (ppid=17729), but the script quickly quits and I can't find the script. Can I setup auditd to get parent process command line as well?
Update 2:
Here is how I setup auditd to show whatwrites to tmp:
auditctl -w /tmp -k tmpfiles
Then:
ausearch -k tmpfiles|grep "tmp."
Then I pick a file and I do
ausearch -k tmpfiles -f /tmp/tmp.tMIHx17730
This shows me process which created the file and parent process pid. I need to set up some kind of process starting listener to catch what's the most recent process with that pid
Best Answer
ok. I found it like this:
setup auditd:
Then search
I get something like this:
Then I get ppid=5807 and search or the process:
I got something like
Where exe="/bin/bash" is the executable and comm="bitdefender-wra" is the (truncated) command line.
So I simply run:
And there it is:
I change this to:
In order to verify that this is the script that doesn't delete it's temporary files. There is
rm -f $LogFile
below, but there is also exit before that.Keep in mind that there might be a better way. So I'll wait for someone to give the best way to find the parent with command line of a process that's creating tmp files. My way doesn't have much filters and creates way too big logs.