How can I log file access from users?
Solution 1
Using iwatch
iwatch
o_O is a realtime filesystem monitoring program using inotify
and a working local mail service
For a better obscurity you should change the mail address and start the deamon as root, or something else … :)
sudo apt-get install iwatch
-
Create a configuration file with the name
iwatch.xml
<?xml version="1.0" ?> <!DOCTYPE config SYSTEM "/etc/iwatch/iwatch.dtd" > <config> <guard email="username@localhost" name="iWatch"/> <watchlist> <title>a title</title> <contactpoint email="username@localhost" name="foo bar"/> <path type="recursive" events="default">/home/username</path> </watchlist> </config>
-
Start the deamon
iwatch -d -f iwatch.xml -p ~/iwatch.pid
-d
Execute the application as daemon. iWatch will run in foregroud without this option.-f
Specify alternative configuration file. Default is/etc/iwatch/iwatch.xml
-p
Specify an alternate pid file. Default:/var/run/iwatch.pid
Check your local mails ;)
Some interesting events
-e event [,event[,..]]
Specify a list of events you want to watch. Following are the possible events you
can use:
access : file was modified
modify : file was modified
attrib : file attributes changed
close_write : file closed, after being opened in writeable mode
close_nowrite : file closed, after being opened in read-only mode
close : file closed, regardless of read/write mode
open : file was opened
moved_from : File was moved away from.
moved_to : File was moved to.
move : a file/dir within watched directory was moved
create : a file was created within watched director
delete : a file was deleted within watched directory
delete_self : the watched file was deleted
unmount : file system on which watched file exists was unmounted
q_overflow : Event queued overflowed
ignored : File was ignored
isdir : event occurred against dir
oneshot : only send event once
all_events : All events
default : close_write, create, delete, move, delete_self and move_self.
More information here
Solution 2
Don't reinvent the wheel - badly.
Use auditing. Tracking who accesses what files is exactly what auditing is for.
A good link to get started is here.
Auditing goals
By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include:
- Audit file access and modification
- See who changed a particular file
- Detect unauthorized changes
- Monitoring of system calls and functions
- Detect anomalies like crashing processes
- Set tripwires for intrusion detection purposes
- Record commands used by individual users
Solution 3
Using find
The following solution works not with deleted files and, if you have not set noatime
in your fstab, eg:
defaults,noatime
Using find
after you have your account back.
find ~ -atime -1
means, accessed less than 1 day.
Or a combination:
find ~ -atime 1 -atime -2
means 1-2 days ago
from man find
-atime n
File was last accessed n*24 hours ago. When find figures
out how many 24-hour periods ago the file was last accessed,
any fractional part is ignored, so to match -atime +1, a file
has to have been accessed at least two days ago.
-amin n
File was last accessed n minutes ago.
Related videos on Youtube
Nano
Updated on September 18, 2022Comments
-
Nano over 1 year
I have to give someone access to my computer, but I want to know afterwards which files he accessed... Can I create a log file for that? Is there an existing program for that? I know how to track processes but I just want the files accessed by one user.
-
kos almost 9 yearsNice, but you must also either set the
atime
attribute to the files to track prior the access (usingchattr
) or mount the file system with theatime
option: tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/… -
A.B. almost 9 years@kos I thought,
defaults
includesatime
-
Rinzwind almost 9 yearsThe act of deleting files is not solved with this ;)
-
A.B. almost 9 years@Rinzwind Umpf, you're right.
-
Rinzwind almost 9 yearsMaybe inotify. But that probably works on a per file... so that will be lots of work :(
-
A.B. almost 9 years@kos, you can recycle your answer: askubuntu.com/a/615435/367165
-
kos almost 9 yearsI don't know, now I can't, if you want to recycle it I won't mind, you gave the same answer as well! I'm trying to figure out which is the default behavior for
atime
in Ubuntu but I'm not on Ubuntu right now, on Debianatime
is not changed for a simple read, if you want to test it on Ubuntu I used this:ls -l --time=atime
-
A.B. almost 9 yearsWorks in Ubuntu, tested.
-
kos almost 9 yearsOk +1 then, if you want to add the inoticoming thing you should feel free tough!
-
A.B. almost 9 years@kos I'm not sure if it works with sub-folders.
-
A.B. almost 9 years@Rinzwind see my other answer =)
-
kos almost 9 yearsNo, probably not, or too much hassle to work out a solution.
-
Edward Torvalds over 8 yearsis there a way to stop it from emailing anybody and just execute command?
-
A.B. over 8 years@edwardtorvalds I'm not sure. The guard tag is necessary but maybe you could use an other attribute.
-
jasmines almost 3 yearswon't say what user accessed the file