Linux file access monitoring

fileslinuxmonitoring

Is there any way in unix to find out who accessed certain file in last 1 week? It may be user or some script ftp it to some other place. Can I get a list of user name who accessed certain file? How can I find out who is accessing particular file??

Best Answer

Unless you have extremely unusual logging policies in place, who accessed what file is not logged (that would be a huge amount of information). You can find out who was logged in at what time in the system logs; the last command gives you login history, and other logs such as /var/log/auth.log will tell you how users authenticated and from where they logged in (which terminal, or which host if remotely).

The date at which a file was last read is called its access time, or atime for short. All unix filesystems can store it, but many systems don't record it, because it has a (usually small) performance penalty. ls -ltu /path/to/file or stat /path/to/file shows the file's access time.

If a user accessed the file and wasn't trying to hide his tracks, his shell history (e.g. ~/.bash_history) may have clues.

To find out what or who has a file open now, use lsof /path/to/file.

To log what happens to a file in the future, there are a few ways:

Use inotifywait. inotifywait -me access /path/to will print a line /path/to/ ACCESS file when someone reads file. This interface won't tell you who accessed the file; you can call lsof /path/to/file as soon as this line appears, but there's a race condition (the access may be over by the time lsof gets going).
LoggedFS is a stackable filesystem that provides a view of a filesystem tree, and can perform fancier logging of all accesses through that view. To configure it, see LoggedFS configuration file syntax.
You can use Linux's audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl. Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:
```
  auditctl -w /path/to/file
```
If you put a watch on a directory, the files in it and its subdirectories recursively are also watched.

Related Solutions

Linux – How to find out the file offset of an opened file

On linux, you can find the position of the file descriptor number N of process PID in /proc/$PID/fdinfo/$N. Example:

$ cat /proc/687705/fdinfo/36
pos:    26088
flags:  0100001

The same file can be opened several times with different positions using several file descriptors, so you'll have to choose the relevant one in the case there are more than one. Use:

$ readlink /proc/$PID/fd/$N

to know what is the file to which the corresponding file descriptor is attached (it might not be a file, in this case the symlink is dangling).

Ny way to tell exactly what files a command is accessing

You can trace the system calls that a program makes. This is the usual method to find out what files it accesses. The tool to do this is called truss in many Unix systems, dtruss on OSX, strace on Linux. I'll describe Linux usage here; check the manual on other systems.

The simplest form is

strace myprogram arg1 arg2

This prints a log of all the system calls made by myprogram. (Example.) To save the log in a file, use the option -o. To also log calls made by subprocesses, use the option -f. To select which system calls are logged, use the option -e. See the manual for details of what you can use as an argument to -e. For example, the following invocation logs file-related system calls (opening and closing, directory listing, etc.) except read and write.

strace -e'file,!read,!write' -o /tmp/myprogram.log -f myprogram arg1 arg2

Best Answer

Related Solutions

Linux – How to find out the file offset of an opened file

Ny way to tell exactly what files a command is accessing

Related Question