linux-hidden-files
Searches the /tmp, /dev, /home directories and their subdirectories on a Linux system for hidden files and directories whose names start with a period (.). You can use this to detect files hidden by attackers during forensic analysis.
Command properties
| Property | Value |
|---|---|
| Command type | Driver query |
| Required permission | Administrator |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Output fields
| Field | Type | Description |
|---|---|---|
file_path | string | Absolute path of the file |
file_name | string | File name |
file_type | string | File type. file: regular file, directory: directory |
permissions | string | POSIX file permission string (e.g., rwxr-xr-x). Returns null if permissions cannot be read. |
file_size | long | File size (bytes) |
file_ctime | timestamp | File creation time |
file_mtime | timestamp | Last modification time |
file_atime | timestamp | Last access time |
owner_read | boolean | Whether the owner has read permission |
owner_write | boolean | Whether the owner has write permission |
owner_execute | boolean | Whether the owner has execute permission |
group_read | boolean | Whether the group has read permission |
group_write | boolean | Whether the group has write permission |
group_execute | boolean | Whether the group has execute permission |
others_read | boolean | Whether others have read permission |
others_write | boolean | Whether others have write permission |
others_execute | boolean | Whether others have execute permission |
Error codes
Parsing errors
| Error code | Message | Description |
|---|---|---|
95040 | no-read-permission | Executed without administrator privileges |
Runtime errors
N/A
Description
The linux-hidden-files command recursively searches the /tmp, /dev, and /home directories for hidden files and directories whose names start with .. For each item found, it collects metadata including the file path, size, timestamps, and POSIX file permissions, and assigns them to output fields.
It follows symbolic links to read file attributes. If visiting a file fails (e.g., insufficient permissions), that file is skipped and the search continues.
This command requires administrator privileges. If privileges are insufficient, an error occurs at the parsing stage.
Examples
-
Query hidden files
linux-hidden-filesQueries all hidden files and directories in the
/tmp,/dev, and/homedirectories whose names start with.. -
Filter hidden files with execute permission
linux-hidden-files | search file_type == "file" and owner_execute == trueFilters only hidden files where the owner has execute permission.
-
Query recently modified hidden files
linux-hidden-files | search file_mtime >= ago("7d") | sort -file_mtimeQueries hidden files modified within the last 7 days, sorted by modification time in descending order.