可能的重复:
是否可以找出创建给定文件的程序或脚本?
我可以在日志中的某处找到/home/username/目录下隐藏文件或目录的创建时间吗?
如果没有,我可以使用一些应用程序来为我记录吗?它应该包含创建时间、文件或目录名称以及按时间和日期排序的创建者(应用程序或用户)。
特定于 Linux,该auditd软件包应该能够提供您正在寻找的信息。它使用 2.6 及更高版本内核提供的审计功能。这是一个特定于 SLES的快速入门,但会让您了解它的auditd工作原理以及如何配置它。
从auditctl手册页:
-w path
Insert a watch for the file system object at path. You cannot insert
a watch to the top level directory. This is prohibited by the kernel.
Wildcards are not supported either and will generate a warning. The way
that watches work is by tracking the inode internally. If you place a
watch on a file, its the same as using the -F path option on a
syscall rule. If you place a watch on a directory, its the same as using
the -F dir option on a syscall rule. The -w form of writing watches
is for backwards compatibility and the syscall based form is more
expressive. Unlike most syscall auditing rules, watches do not impact
performance based on the number of rules sent to the kernel. The only
valid options when using a watch are the -p and -k. If you need to
anything fancy like audit a specific user accessing a file, then use
the syscall auditing form with the path or dir fields.