39

Is there any way in unix to find out who accessed certain file in last 1 week? It may be user or some script ftp it to some other place. Can I get a list of user name who accessed certain file? How can I find out who is accessing particular file??

Gilles 'SO- stop being evil'
  • 829,060
Jack
  • 391
  • 1
  • 3
  • 3

5 Answers5

49

Unless you have extremely unusual logging policies in place, who accessed what file is not logged (that would be a huge amount of information). You can find out who was logged in at what time in the system logs; the last command gives you login history, and other logs such as /var/log/auth.log will tell you how users authenticated and from where they logged in (which terminal, or which host if remotely).

The date at which a file was last read is called its access time, or atime for short. All unix filesystems can store it, but many systems don't record it, because it has a (usually small) performance penalty. ls -ltu /path/to/file or stat /path/to/file shows the file's access time.

If a user accessed the file and wasn't trying to hide his tracks, his shell history (e.g. ~/.bash_history) may have clues.

To find out what or who has a file open now, use lsof /path/to/file.

To log what happens to a file in the future, there are a few ways:

  • Use inotifywait. inotifywait -me access /path/to will print a line /path/to/ ACCESS file when someone reads file. This interface won't tell you who accessed the file; you can call lsof /path/to/file as soon as this line appears, but there's a race condition (the access may be over by the time lsof gets going).

  • LoggedFS is a stackable filesystem that provides a view of a filesystem tree, and can perform fancier logging of all accesses through that view. To configure it, see LoggedFS configuration file syntax.

  • You can use Linux's audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl. Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:

      auditctl -w /path/to/file

    If you put a watch on a directory, the files in it and its subdirectories recursively are also watched.

Gilles 'SO- stop being evil'
  • 829,060
  • Thank you Gilles.. I have this dat file created by the script. I just want to know what happens to that file after it is being created.. non of the other scripts are picking it for further process so I want to see if someone is manually accessing that dat file – Jack Apr 28 '11 at 21:13
  • @Jack: It's hard to say without knowing a lot more about your setup, but as long as nothing removes or renames the file, it'll be there for the other scripts to pick it up, whether or not someone else is accessing it. From your comment, I think you should be looking at what happens when you run your scripts. – Gilles 'SO- stop being evil' Apr 28 '11 at 21:17
  • 3
    Hey, you could create a nice circular loop with this: syslogd access log file /var/log/audit.log at 10:01\nsyslogd access log file /var/log/audit.log at 10:02\n... – penguin359 Apr 28 '11 at 21:24
  • inotifywait call should probably be inotifywait -me access /path/to (note the m). Otherwise it will exit after the first event. – Hi-Angel Dec 07 '20 at 11:32
7

The previous answer is not the best practice for doing what you ask. Linux has an API for this. The inotify API http://linux.die.net/man/7/inotify

  1. You can write a C program to do what you want just calling the inotify API directly
  2. You can use kfsmd, http://www.linux.com/archive/feature/124903 a daemon that uses inotify
  3. If you want something that works across platforms (inotify is Linux specific) and you are using Java, JNotify works across platforms(Linux, Mac, Windows), abstracting the native OS' underlying API.
Glen
  • 71
  • 1
  • 3
    Welcome to Stack Exchange. Answers are not presented in chronological order, so “previous answer” doesn't convey which answer you mean. I wonder which of the other two you're referring to anyway: one doesn't have anything that looks like good or bad practice, and the other one does mention the inotify API. – Gilles 'SO- stop being evil' Apr 29 '11 at 10:14
  • Most probably Glen refers to the answer above with default vote sorting. Indeed the most popular answer fails to present a solution to the question. There may be a number of reasons for which one might need to see how many times a files gets accessed for a given time frame. – Wtower Mar 03 '17 at 23:15
  • 2
    As explained in https://unix.stackexchange.com/a/12251/20336 inotify API does not provide info about who accessed a given file. Plus inotify really does not help figuring out who accessed the file last week. You need audit features for that, which requires using software called auditd (however, even this does not help figuring out who accessed the file last week unless you had auditd already running last week). – Mikko Rantalainen Mar 16 '18 at 13:43
  • Your link to the kfsmd article is broken. It probably moved to https://www.linux.com/news/use-kfsmd-keep-track-changes-your-filesystems/ – JPT Nov 07 '21 at 11:19
7

Above example with inotifywait should be one of (see man page for more info):

inotifywait /path/to/file
inotifywait -e open /pat/to/file

Or with monitoring mode and timestamp:

inotifywait -m --format '%w:%e:%T' --timefmt '%F %T %Z %z'
Milan Kerslager
  • 220
  • 1
    This is an easy and effective way, but it doesn't show who (which process) was accessing the file. Am I missing something? – JPT Nov 07 '21 at 11:16
3

This is not, in general, feasible. I have seen file systems with enough auditing to make it possible one way or the other, but it is not a general Unix thing, no.

tchrist
  • 433
2

Is there any way in unix to find out who accessed certain file in last 1 week?

strictly doing what you ask: one specific file, yes.

configure /etc/audit/audit.rules properly and service enable auditd and have the auditing service running and logging to /var/log/audit/audit.log

By default I think for most linux distributions auditing is on but the rules file is basically empty so you get very rudimentary items in the audit.log. You have to manually add rules as you see fit to your audit.rules file. Also peruse auditd.conf to get a full understanding of what is going on.

This is likely not the only way to do what you ask, but here is a rule that should do what you ask.

Web search more on linux audit watch file

-w /etc/passwd -p rwxa -k WATCHTHIS
  • -w is the stating the watch rule
  • /etc/passwd we are watching this file, change this accordingly
  • p the permissions filter, you have a combination of 4 total choices: read, write, execute, or append.
  • k optional, a filter key that is placed in audit.log whenever this audit event is triggered, highly recommended otherwise how are you going to find this event in audit.log; change this accordingly make something unique that is easily searchable in a billion lines of audit.log.

The var/log/audit/audit.log entries, one per line, there will be many, each will have a timestamp in epoch time format that you will have to convert to human readable month/day/year/hr/min/sec. Search for a line having WATCHTHIS or whatever you made the key, and the uid= and gid= is what you are after.

# cheat sheet:

systemctl list-unit-files | grep audit


systemctl enable auditd.service
service auditd enable


service auditd start


----------------------------------------------------------------


sample /etc/audit/rules.d/audit.rules file


used in rhel/centos 7.9


First rule - delete all


-D


Increase the buffers to survive stress events.


Make this bigger for busy systems


-b 8192


set from 8k to 1mb


-b 1048576


in case of audit failure


2=shutdown, 1= goto runlevel 1, 0=no affect


-f 0


add your desired rules


-w /scratch/somefile.txt -p rwxa -k WATCHTHIS
ron
  • 6,575
  • this was asked in 2011, the other answers in this post were likely true back then. But now in 2020 and the linux audit system has come a long way, I believe using the linux audit system used in this manner is probably the best way to do what was initially asked. – ron Dec 07 '20 at 14:11