linux-non-device-files
Queries the list of regular files (non-device files) in the Linux system's /dev directory. Because only device files should exist in /dev, the presence of regular files may indicate that unauthorized files have been created. Use this during security audits to verify the presence of such abnormal files.
Command properties
| Property | Value |
|---|---|
| Command type | Driver query |
| Required permission | Administrator |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Output fields
| Field | Type | Description |
|---|---|---|
file_path | string | Absolute path of the file |
file_name | string | File name |
file_type | string | File type. file or directory |
permissions | string | File permission string (e.g., rwxr-xr-x) |
file_size | long | File size (bytes) |
file_ctime | timestamp | File creation time |
file_mtime | timestamp | Last modification time |
file_atime | timestamp | Last access time |
owner_read | boolean | Whether the owner has read permission |
owner_write | boolean | Whether the owner has write permission |
owner_execute | boolean | Whether the owner has execute permission |
group_read | boolean | Whether the group has read permission |
group_write | boolean | Whether the group has write permission |
group_execute | boolean | Whether the group has execute permission |
others_read | boolean | Whether others have read permission |
others_write | boolean | Whether others have write permission |
others_execute | boolean | Whether others have execute permission |
Error codes
Parsing errors
| Error code | Message | Description |
|---|---|---|
| 95040 | no-read-permission | Executed without administrator privileges |
Runtime errors
N/A
Description
The linux-non-device-files command runs find /dev -type f -print to search for regular files (-type f) in the /dev directory. For each file found, it collects metadata and assigns the file path, size, timestamps, and permission information to output fields.
On a healthy system, only device files, symbolic links, and directories should exist in the /dev directory. If a regular file is found, it may indicate that malicious files have been concealed, requiring further investigation.
Examples
-
Query non-device files in the /dev directory
linux-non-device-filesQueries the list of regular (non-device) files in the
/devdirectory. -
Query sorted by file size
linux-non-device-files | sort -file_sizeQueries non-device files sorted by file size in descending order.