Linux file access monitoring

88,308

Solution 1

Unless you have extremely unusual logging policies in place, who accessed what file is not logged (that would be a huge amount of information). You can find out who was logged in at what time in the system logs; the last command gives you login history, and other logs such as /var/log/auth.log will tell you how users authenticated and from where they logged in (which terminal, or which host if remotely).

The date at which a file was last read is called its access time, or atime for short. All unix filesystems can store it, but many systems don't record it, because it has a (usually small) performance penalty. ls -ltu /path/to/file or stat /path/to/file shows the file's access time.

If a user accessed the file and wasn't trying to hide his tracks, his shell history (e.g. ~/.bash_history) may have clues.

To find out what or who has a file open now, use lsof /path/to/file.

To log what happens to a file in the future, there are a few ways:

  • Use inotifywait. inotifywait -me access /path/to will print a line /path/to/ ACCESS file when someone reads file. This interface won't tell you who accessed the file; you can call lsof /path/to/file as soon as this line appears, but there's a race condition (the access may be over by the time lsof gets going).

  • LoggedFS is a stackable filesystem that provides a view of a filesystem tree, and can perform fancier logging of all accesses through that view. To configure it, see LoggedFS configuration file syntax.

  • You can use Linux's audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl. Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:

      auditctl -w /path/to/file
    

    If you put a watch on a directory, the files in it and its subdirectories recursively are also watched.

Solution 2

The previous answer is not the best practice for doing what you ask. Linux has an API for this. The inotify API http://linux.die.net/man/7/inotify

  1. You can write a C program to do what you want just calling the inotify API directly
  2. You can use kfsmd, http://www.linux.com/archive/feature/124903 a daemon that uses inotify
  3. If you want something that works across platforms (inotify is Linux specific) and you are using Java, JNotify works across platforms(Linux, Mac, Windows), abstracting the native OS' underlying API.

Solution 3

Above example with inotifywait should be one of (see man page for more info):

inotifywait /path/to/file
inotifywait -e open /pat/to/file

Or with monitoring mode and timestamp:

inotifywait -m --format '%w:%e:%T' --timefmt '%F %T %Z %z'

Solution 4

This is not, in general, feasible. I have seen file systems with enough auditing to make it possible one way or the other, but it is not a general Unix thing, no.

Solution 5

Is there any way in unix to find out who accessed certain file in last 1 week?

strictly doing what you ask: one specific file, yes.

configure /etc/audit/audit.rules properly and service enable auditd and have the auditing service running and logging to /var/log/audit/audit.log

By default I think for most linux distributions auditing is on but the rules file is basically empty so you get very rudimentary items in the audit.log. You have to manually add rules as you see fit to your audit.rules file. Also peruse auditd.conf to get a full understanding of what is going on.

This is likely not the only way to do what you ask, but here is a rule that should do what you ask.

Web search more on linux audit watch file

-w /etc/passwd -p rwxa -k WATCHTHIS
  • -w is the stating the watch rule
  • /etc/passwd we are watching this file, change this accordingly
  • p the permissions filter, you have a combination of 4 total choices: read, write, execute, or append.
  • k optional, a filter key that is placed in audit.log whenever this audit event is triggered, highly recommended otherwise how are you going to find this event in audit.log; change this accordingly make something unique that is easily searchable in a billion lines of audit.log.

The var/log/audit/audit.log entries, one per line, there will be many, each will have a timestamp in epoch time format that you will have to convert to human readable month/day/year/hr/min/sec. Search for a line having WATCHTHIS or whatever you made the key, and the uid= and gid= is what you are after.

# cheat sheet:

systemctl list-unit-files | grep audit

systemctl enable auditd.service
service auditd enable

service auditd start

# ----------------------------------------------------------------

# sample /etc/audit/rules.d/audit.rules file
# used in rhel/centos 7.9

## First rule - delete all

-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
# -b 8192
# set from 8k to 1mb

-b 1048576

# in case of audit failure
# 2=shutdown, 1= goto runlevel 1, 0=no affect

-f 0

# add your desired rules

-w /scratch/somefile.txt -p rwxa -k WATCHTHIS
Share:
88,308

Related videos on Youtube

Jack
Author by

Jack

Updated on September 18, 2022

Comments

  • Jack
    Jack over 1 year

    Is there any way in unix to find out who accessed certain file in last 1 week? It may be user or some script ftp it to some other place. Can I get a list of user name who accessed certain file? How can I find out who is accessing particular file??

  • Jack
    Jack about 13 years
    Thank you Gilles.. I have this dat file created by the script. I just want to know what happens to that file after it is being created.. non of the other scripts are picking it for further process so I want to see if someone is manually accessing that dat file
  • penguin359
    penguin359 about 13 years
    Hey, you could create a nice circular loop with this: syslogd access log file /var/log/audit.log at 10:01\nsyslogd access log file /var/log/audit.log at 10:02\n...
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' about 13 years
    Welcome to Stack Exchange. Answers are not presented in chronological order, so “previous answer” doesn't convey which answer you mean. I wonder which of the other two you're referring to anyway: one doesn't have anything that looks like good or bad practice, and the other one does mention the inotify API.
  • Wtower
    Wtower over 7 years
    Most probably Glen refers to the answer above with default vote sorting. Indeed the most popular answer fails to present a solution to the question. There may be a number of reasons for which one might need to see how many times a files gets accessed for a given time frame.
  • Mikko Rantalainen
    Mikko Rantalainen over 6 years
    As explained in unix.stackexchange.com/a/12251/20336 inotify API does not provide info about who accessed a given file. Plus inotify really does not help figuring out who accessed the file last week. You need audit features for that, which requires using software called auditd (however, even this does not help figuring out who accessed the file last week unless you had auditd already running last week).
  • Hi-Angel
    Hi-Angel over 3 years
    inotifywait call should probably be inotifywait -me access /path/to (note the m). Otherwise it will exit after the first event.
  • ron
    ron over 3 years
    this was asked in 2011, the other answers in this post were likely true back then. But now in 2020 and the linux audit system has come a long way, I believe using the linux audit system used in this manner is probably the best way to do what was initially asked.
  • JPT
    JPT over 2 years
    This is an easy and effective way, but it doesn't show who (which process) was accessing the file. Am I missing something?
  • JPT
    JPT over 2 years
    Your link to the kfsmd article is broken. It probably moved to linux.com/news/use-kfsmd-keep-track-changes-your-filesystems