log who creates files in a directory, maybe using inotify

Question

In my Ubuntu box, I need to monitor which script/program/user is creating files in a path or its sub-directories.

The main idea being to identify a possible yet unknown security hole that is being exploited to inject malicious scripts in my system.

I think it can maybe be possible with linux's INotify? Ive tried to find such a script without luck.

Can somebody suggest me a simple script to do it?

Thanks

look at tripwire, solidcore, samhain, iwatch -- they may do what you want. also see here: http://stackoverflow.com/questions/3977890/monitor-directory-listing-for-changes — ChuckCottrill, Oct 29 '13 at 18:48
@ChuckCottrill thanks very interesting stuff. I'll try iWatch... — arod, Oct 29 '13 at 23:32

score 1 · Answer 1 · answered Oct 30 '13 at 02:48

1

Thanks to @ChuckCotrill, I finally went with

nohup iwatch -r -e create,delete,close_write -t .ext /my/path > /tmp/files_changed.out &

tail -f /tmp/files_changed.out

answered Oct 30 '13 at 02:48

arod

1 Answers1