I would like to know when a specific file is being read and logs the process ID and executable name and also notify me by sending an email using mail.
Can kernel module do this? Is kernel module the only way to achieve this?
Asked
Active
Viewed 359 times
3
-
3Take a look at inotify. – Julie Pelletier Mar 05 '17 at 06:14
-
3inotify can tell you when a file is opened for reading, would that be good enough? – icarus Mar 05 '17 at 06:14
-
@JuliePelletier inotify can tell when a file is accessed, but not which process did it. – Gilles 'SO- stop being evil' Mar 06 '17 at 01:28
-
You can use this command # lsof to check it.Maybe this # lsof command can help you. – supriady Mar 06 '17 at 04:02
1 Answers
2
Reading a file invokes kernel code, so the kernel always knows. The question is how to get it to notify you.
On Linux, you can use the audit subsystem. Run auditctl to add a rule to watch this file:
auditctl -w /path/to/specific/file
The event is sent to the audit logs. You can request audit events to be emailed by configuring audispd — see How to send audit logs with audisp-remote and receive them with netcat for examples. Alternatively, set up email of audit reports; see Scott Pack's “Stump the Chump with Auditd 01”.
Gilles 'SO- stop being evil'
- 829,060
-
This utitlity is great. However, if I use $cat
, this does not get logged by the tool. Why is that and how can I keep track of $cat – drdot Mar 06 '17 at 03:42to read files? -
@dannycrane Access by
catgets logged, like from any other program. If you don't see an entry in the audit logs (/var/log/audit/audit.log) then you aren't running the audit daemon or you didn't set the rule with the right path. – Gilles 'SO- stop being evil' Mar 06 '17 at 11:09 -
-
@dannycrane Strange. Does adding
-p rwxato theauditctlcall make any difference? (I think it's the default so it shouldn't make a difference but I don't see what could be the difference between vim and cat.) – Gilles 'SO- stop being evil' Mar 06 '17 at 18:49