6

I notice a lot of empty files in /tmp with names similar to "/tmp/tmp.tMIHx17730". I run audit rule and I found out that mktemp is creating it which is not too helpful.

How do I find out which script calls mktemp to create these files? Can I capture parent process id/command line with auditd?

Update: I believe I have the parent process id (ppid=17729), but the script quickly quits and I can't find the script. Can I setup auditd to get parent process command line as well?

Update 2: Here is how I setup auditd to show whatwrites to tmp:

auditctl -w /tmp -k tmpfiles

Then:

ausearch  -k tmpfiles|grep "tmp."

Then I pick a file and I do

ausearch  -k tmpfiles -f /tmp/tmp.tMIHx17730

This shows me process which created the file and parent process pid. I need to set up some kind of process starting listener to catch what's the most recent process with that pid

NickSoft
  • 248
  • 6
  • 22
  • Are you using auditd to monitor changes to /tmp? – user9517 Nov 11 '15 at 16:29
  • 1
    Take a look at this [unix.stackexchange Q&A](http://unix.stackexchange.com/questions/13776/how-to-determine-which-process-is-creating-a-file). I don't think you can do that with auditd but lsof in a loop could help. – Henrik Pingel Nov 11 '15 at 16:59
  • the event (of creating files) happens once a few hours. I can't possibly catch that with lsof. Also if it catches it it'll show me that mktemp - which I already know I need to know parent process. – NickSoft Nov 12 '15 at 10:05

1 Answers1

3

ok. I found it like this:

setup auditd:

auditctl -w /tmp -k tmpfiles
auditctl -a task,always

Then search

ausearch  -k tmpfiles|grep "/tmp/tmp."

I get something like this:

Then I get ppid=5807 and search or the process:

ausearch -p 5807

I got something like 

time->Thu Nov 12 12:14:34 2015
type=SYSCALL msg=audit(1447323274.234:2547064): arch=c000003e syscall=231 a0=1 a1=3c a2=1 a3=0 items=0 ppid=5772 pid=5807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=84330 comm="bitdefender-wra" exe="/bin/bash" key=(null)

Where exe="/bin/bash" is the executable and comm="bitdefender-wra" is the (truncated) command line.

So I simply run:

# locate bitdefender-wra
/usr/lib/MailScanner/bitdefender-wrapper

And there it is:

LogFile=$(mktemp) || { echo "$0: Cannot create temporary file" >&2; exit 1; }

I change this to:

LogFile=$(mktemp /tmp/bitdefender.XXXXXXXXXXXX) || { echo "$0: Cannot create temporary file" >&2; exit 1; }

In order to verify that this is the script that doesn't delete it's temporary files. There is rm -f $LogFile below, but there is also exit before that.

Keep in mind that there might be a better way. So I'll wait for someone to give the best way to find the parent with command line of a process that's creating tmp files. My way doesn't have much filters and creates way too big logs.

NickSoft
  • 248
  • 6
  • 22