Is there any way in unix to find out who accessed certain file in last 1 week? It may be user or some script ftp it to some other place. Can I get a list of user name who accessed certain file? How can I find out who is accessing particular file??
Linux file access monitoring
fileslinuxmonitoring
Best Answer
Unless you have extremely unusual logging policies in place, who accessed what file is not logged (that would be a huge amount of information). You can find out who was logged in at what time in the system logs; the
last
command gives you login history, and other logs such as/var/log/auth.log
will tell you how users authenticated and from where they logged in (which terminal, or which host if remotely).The date at which a file was last read is called its access time, or atime for short. All unix filesystems can store it, but many systems don't record it, because it has a (usually small) performance penalty.
ls -ltu /path/to/file
orstat /path/to/file
shows the file's access time.If a user accessed the file and wasn't trying to hide his tracks, his shell history (e.g.
~/.bash_history
) may have clues.To find out what or who has a file open now, use
lsof /path/to/file
.To log what happens to a file in the future, there are a few ways:
Use inotifywait.
inotifywait -me access /path/to
will print a line/path/to/ ACCESS file
when someone readsfile
. This interface won't tell you who accessed the file; you can calllsof /path/to/file
as soon as this line appears, but there's a race condition (the access may be over by the time lsof gets going).LoggedFS is a stackable filesystem that provides a view of a filesystem tree, and can perform fancier logging of all accesses through that view. To configure it, see LoggedFS configuration file syntax.
You can use Linux's audit subsystem to log a large number of things, including filesystem accesses. Make sure the
auditd
daemon is started, then configure what you want to log withauditctl
. Each logged operation is recorded in/var/log/audit/audit.log
(on typical distributions). To start watching a particular file:If you put a watch on a directory, the files in it and its subdirectories recursively are also watched.