How to find which program/service/process touch the file?
 

Any of our created directories in /tmp folder erasing after some time... I cannot track which program/service/process touch the file...

Looks like tmpwatch is not a problem - it is to be run daily, not an every few minutes!
I have removed it completely just for sure - and it is not helps...

How can I do the trace?.. For example do chattr +i /tmp/newdir and then watch which process access this dir?

Point me to manual/links on this theme. (please, not recommend SNARE - it is require kernel recompile which I cannot to do for now, especiall for RH7.3)

Thank you.

Here's three choices, all with their cons and pro's: Dirwatch from http://pedram.redhive.com/, Auditunlink from freshmeat.net or somethink like Syscalltrack at Sourceforge.net.
Auditunlink is a preloaded library and if you got your RHL7.x kernel source then building Syscaltrack modules should be easy.

Thank you.
 

Thank you, I will take a look at these links.