2

I'm a noob and have some questions about viewing who accessed a file.

I found there are ways to see if a file was accessed (not modified/changed) through audit subsystem and inotify.

However, from what I have read online, according to here: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

it says to 'watch/monitor' file, I have to set a watch by using command like:

# auditctl -w /etc/passwd -p war -k password-file

So if I create a new file or directory, do I have to use audit/inotify command to 'set' watch first to 'watch' who accessed the new file?

Also is there a way to know if a directory is being 'watched' through audit subsystem or inotify? How/where can I check the log of a file?

edit:

from further googling, I found this page saying: http://www.kernel.org/doc/man-pages/online/pages/man7/inotify.7.html

The inotify API provides no information about the user or process that triggered the inotify event.

So I guess this means that I cant figure out which user accessed a file? Only audit subsystem can be used to figure out who accessed a file?

Improve this question

1 Answer 1

Reset to default
0

This is a brute force approach but you could look through the user's .bash_history in their home directory. This will only store a certain amount of lines though.

This might work, I am not saying it will work:

This assumes that your home directories are in /home and that the user did not remove their bash history file or move their history file.

for i in `ls /home/` do 

    echo "CURRENT USER IS $i"
    grep <filename> /home/$i/.bash_history | less 

done

that should find any references to in the bash histories of the users on the hosts.

Then you could grep the output of last to see who was logged in around the time that the timestamp on the file you are inspecting changed. Look for times close to the time that the timestamp on the file says.

You will also want to look for references to the echo command or anything using redirection as the file could have been modified with a redirection i.e. echo "test" > file_I_should_not_edit or echo "foo" >> append_to_file_i_should_not_edit.

I wish I could tell you an exact answer for your problem.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .