Lynis Security Controls

LOGG-2190 - Deleted files


Deleted files may sometimes be in use by applications. While this is uncommon behavior, it's usually seen by malicious software to hide its presence on the system. Investigate the related files by determining which application keeps it open and the related reason.



How to solve

Most software needs to read from files, or write to them. It is also common to see that software creates temporary files, to deal with data, until the program closes. Temporary files are often stored in /tmp or /var/tmp.

To open a file, the software uses a system call (or syscall), like fopen, and tells the kernel if it likes to open it for reading, writing, appending data, or otherwise. It would be too much risk when software could have full access to the hard disk, without any control. So the kernel will return a file descriptor instead, and the software can use that. When it is done with the file, it will tell the kernel again to close. For temporary files it usually then also gives it a request to delete it, so it doesn't use up valuable disk space.

Some programs are known to deal incorrectly with temporary files and in particular the order of closing a file handle and deleting a file. The result is that the file is deleted from disk, but the file handle is actually not closed. In such case, the data is only freed when the handle gets closed. This may happen at the time the program is stopped or reloaded. With systems running 24 hours a day, this may be a very long time.

Lynis helps to determine which files are deleted, yet still opened with a file handle. When using the ls command, you could recognize these files by having a reference count of zero (0). This is the second field of the ls output. Also lsof helps you showing what files are opened and which of them are deleted. In such case have a look what process is keeping them open. Sometimes a simple reload or restart may help. It may also be a bug in the software, which in such case could be reported to the vendor or author of the software.

Perform daily health checks of your environment, learn in-depth system hardening, and protect your systems better.

Upgrade to Lynis Enterprise

Linux and Unix System Hardening

This information is provided as part of the Lynis community project. It is related to Lynis control LOGG-2190. All information should be considered as-is, without guarantees. Any advice or snippets should be tested before implementing in production environments.


Lynis is a technical security audit tool for Unix flavors like Linux, macOS, AIX, Solaris, and *BSD. It is open source software and free to use. The project has an active community, including open development via GitHub.

Lynis Enterprise

Need more advanced features, like vulnerability scanning, or reporting installed software packages? Lynis Enterprise will collect more data and present it with an easy to use web interface.

Gain additional benefits: automating security audits, reporting, and the implementation of related security measures.

Lynis Enterprise includes
  • Centralized management
  • Prioritized plans
  • Reporting
  • Dashboards
  • Integration (API)
  • Improvement snippets for tools like Ansible, Chef, Cfengine, Puppet, and SaltStack

Take the Tour