linux-tmp-files
Traverses the /tmp directory and its subdirectories on a Linux system to retrieve a list of all files. During forensic analysis, this command can be used to detect malicious files or attack traces left in the temporary directory.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | Administrator |
| License usage | Licensed command |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Output fields
| Field | Type | Description |
|---|---|---|
file_path | string | Absolute path of the file |
file_name | string | File name |
file_type | string | File type. file: regular file, directory: directory |
permissions | string | POSIX file permission string (e.g., rwxr-xr-x). Returns null if unreadable. |
file_size | long | File size (bytes) |
file_ctime | timestamp | File creation time |
file_mtime | timestamp | Last modification time |
file_atime | timestamp | Last access time |
owner_read | boolean | Whether the owner has read permission |
owner_write | boolean | Whether the owner has write permission |
owner_execute | boolean | Whether the owner has execute permission |
group_read | boolean | Whether the group has read permission |
group_write | boolean | Whether the group has write permission |
group_execute | boolean | Whether the group has execute permission |
others_read | boolean | Whether others have read permission |
others_write | boolean | Whether others have write permission |
others_execute | boolean | Whether others have execute permission |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
95040 | no-read-permission | Occurs when run without administrator privilege |
Runtime errors
N/A
Description
The linux-tmp-files command recursively traverses the /tmp directory to collect metadata for all files. For each file, it assigns file path, size, timestamps, and POSIX file permission information to output fields.
The command follows symbolic links to read file attributes. If visiting a file fails (e.g., due to insufficient permissions), that file is skipped and the traversal continues.
This command requires administrator privilege. Without it, an error occurs at the parse stage.
Examples
-
Retrieve a list of files in the temporary directory
linux-tmp-filesRetrieves a list of all files in the
/tmpdirectory. -
Retrieve large temporary files
linux-tmp-files | search file_type == "file" | sort -file_size | limit 20Filters only regular files in the
/tmpdirectory, sorts them in descending order by size, and retrieves the top 20. -
Detect executable files in the temporary directory
linux-tmp-files | search file_type == "file" and owner_execute == trueRetrieves files with execute permission in the
/tmpdirectory. The presence of executable files in a temporary directory can be an indicator of a security incident.