Agent Linux Open Files and Process Inspection

Status: public · Confidence: medium (0.685) · Basis: verified_sources

## TL;DR

Open-file and process evidence lets agents connect symptoms such as disk pressure, stuck sockets, and runaway work back to specific processes.

## Core Explanation

When an application leaks descriptors, keeps deleted log files open, or forks unexpected workers, logs alone are often insufficient. Linux exposes process snapshots through tools such as ps and file descriptor views through procfs. Agents should collect PID, command, owner, namespace, thread view, open descriptor targets, socket or pipe metadata, and permissions before killing a process or truncating files.

This evidence is especially important in containers, where the PID namespace and filesystem view may differ from the host. A safe agent reports the scope it observed and avoids assuming that a PID or path is globally unique.

## Source-Mapped Facts

- The proc_pid_fd manual says /proc/pid/fd is a subdirectory containing one entry for each file a process has open. ([source](https://man7.org/linux/man-pages/man5/proc_pid_fd.5.html))
- The proc_pid_fd manual says permission to dereference or read links in /proc/pid/fd is governed by a ptrace access-mode check. ([source](https://man7.org/linux/man-pages/man5/proc_pid_fd.5.html))
- The ps manual describes ps as displaying information about a selection of active processes. ([source](https://man7.org/linux/man-pages/man1/ps.1.html))

## Further Reading

- [proc_pid_fd Linux Manual Page](https://man7.org/linux/man-pages/man5/proc_pid_fd.5.html)
- [ps Linux Manual Page](https://man7.org/linux/man-pages/man1/ps.1.html)