LOGG-2190 - Deleted files

This information is provided as part of the Lynis community project. It is related to Lynis control LOGG-2190 and should be considered as-is and without guarantees. Any advice and commands should be tested before implementing them in production environments.

Control details


Deleted files may sometimes be in use by applications. While this is uncommon behavior, it's usually seen by malicious software to hide its presence on the system. Investigate the related files by determining which application keeps it open and the related reason.

How to solve

Most software needs to read from files, or write to them. It is also common to see that software creates temporary files, to deal with data, until the program closes. Temporary files are often stored in /tmp or /var/tmp.

To open a file, the software uses a system call (or syscall), like fopen, and tells the kernel if it likes to open it for reading, writing, appending data, or otherwise. It would be too much risk when software could have full access to the hard disk, without any control. So the kernel will return a file descriptor instead, and the software can use that. When it is done with the file, it will tell the kernel again to close. For temporary files it usually then also gives it a request to delete it, so it doesn't use up valuable disk space.

Some programs are known to deal incorrectly with temporary files and in particular the order of closing a file handle and deleting a file. The result is that the file is deleted from disk, but the file handle is actually not closed. In such case, the data is only freed when the handle gets closed. This may happen at the time the program is stopped or reloaded. With systems running 24 hours a day, this may be a very long time.

Lynis helps to determine which files are deleted, yet still opened with a file handle. When using the ls command, you could recognize these files by having a reference count of zero (0). This is the second field of the ls output. Also lsof helps you showing what files are opened and which of them are deleted. In such case have a look what process is keeping them open. Sometimes a simple reload or restart may help. It may also be a bug in the software, which in such case could be reported to the vendor or author of the software.

Need more details?

Consider the upgrade to Lynis Enterprise to receive additional details and guidance. The Enterprise version helps to you with daily health checks of your environment, learn in-depth system hardening, and resources to protect your systems better.

See demo


Lynis is a technical security auditing tool for Unix flavors like Linux, macOS, AIX, Solaris, and *BSD. It is open source software and free to use. Typical usage include system hardening, compliance testing, and vulnerability scanning. The project has an active community, including development via GitHub.

Lynis Enterprise

Do you need to collect data from multiple systems or compliance reporting? Lynis Enterprise uses Lynis to collect the data and make your work easier.

Benefits: automate security audits, detailed reporting, compliance testing.

  • Centralized management
  • Improvement plan with priorities
  • Reporting
  • Dashboards
  • Predefined policies
  • Integration (API)
  • Improvement snippets for tools like Ansible, Chef, Cfengine, Puppet, and SaltStack
Take the Tour