How to know who accessed a file or if a file has 'access' monitor in linux

Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I have some questions about viewing who accessed a file.
I found there are ways to see if a file was accessed (not modified/changed) through audit subsystem and inotify.
However, from what I have read online, according to here:
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
it says to 'watch/monitor' file, I have to set a watch by using command like:
# auditctl -w /etc/passwd -p war -k password-file
So if I create a new file or directory, do I have to use audit/inotify command to 'set' watch first to 'watch' who accessed the new file?
Also is there a way to know if a directory is being 'watched' through audit subsystem or inotify? How/where can I check the log of a file?
edit:
from further googling, I found this page saying:
http://www.kernel.org/doc/man-pages/online/pages/man7/inotify.7.html
The inotify API provides no information about the user or process that triggered the inotify event.
So I guess this means that I cant figure out which user accessed a file? Only audit subsystem can be used to figure out who accessed a file?
linux security monitoring
add a comment |
up vote
1
down vote
favorite
I have some questions about viewing who accessed a file.
I found there are ways to see if a file was accessed (not modified/changed) through audit subsystem and inotify.
However, from what I have read online, according to here:
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
it says to 'watch/monitor' file, I have to set a watch by using command like:
# auditctl -w /etc/passwd -p war -k password-file
So if I create a new file or directory, do I have to use audit/inotify command to 'set' watch first to 'watch' who accessed the new file?
Also is there a way to know if a directory is being 'watched' through audit subsystem or inotify? How/where can I check the log of a file?
edit:
from further googling, I found this page saying:
http://www.kernel.org/doc/man-pages/online/pages/man7/inotify.7.html
The inotify API provides no information about the user or process that triggered the inotify event.
So I guess this means that I cant figure out which user accessed a file? Only audit subsystem can be used to figure out who accessed a file?
linux security monitoring
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have some questions about viewing who accessed a file.
I found there are ways to see if a file was accessed (not modified/changed) through audit subsystem and inotify.
However, from what I have read online, according to here:
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
it says to 'watch/monitor' file, I have to set a watch by using command like:
# auditctl -w /etc/passwd -p war -k password-file
So if I create a new file or directory, do I have to use audit/inotify command to 'set' watch first to 'watch' who accessed the new file?
Also is there a way to know if a directory is being 'watched' through audit subsystem or inotify? How/where can I check the log of a file?
edit:
from further googling, I found this page saying:
http://www.kernel.org/doc/man-pages/online/pages/man7/inotify.7.html
The inotify API provides no information about the user or process that triggered the inotify event.
So I guess this means that I cant figure out which user accessed a file? Only audit subsystem can be used to figure out who accessed a file?
linux security monitoring
I have some questions about viewing who accessed a file.
I found there are ways to see if a file was accessed (not modified/changed) through audit subsystem and inotify.
However, from what I have read online, according to here:
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
it says to 'watch/monitor' file, I have to set a watch by using command like:
# auditctl -w /etc/passwd -p war -k password-file
So if I create a new file or directory, do I have to use audit/inotify command to 'set' watch first to 'watch' who accessed the new file?
Also is there a way to know if a directory is being 'watched' through audit subsystem or inotify? How/where can I check the log of a file?
edit:
from further googling, I found this page saying:
http://www.kernel.org/doc/man-pages/online/pages/man7/inotify.7.html
The inotify API provides no information about the user or process that triggered the inotify event.
So I guess this means that I cant figure out which user accessed a file? Only audit subsystem can be used to figure out who accessed a file?
linux security monitoring
linux security monitoring
edited Dec 7 at 23:40
Rui F Ribeiro
38.7k1479128
38.7k1479128
asked Apr 3 '12 at 22:02
J L
1184
1184
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
Logs from the audit subsystem are based on paths. You can put a watch on a file name even if that file doesn't exist. You'll get log entries if the file is created and accessed.
All logs from auditd are saved in one file (generally /var/log/audit/auditd.log).
You can list the audit rules with auditctl -l.
When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
– J L
Apr 4 '12 at 2:01
@JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
– Gilles
Apr 4 '12 at 7:07
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f35651%2fhow-to-know-who-accessed-a-file-or-if-a-file-has-access-monitor-in-linux%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
Logs from the audit subsystem are based on paths. You can put a watch on a file name even if that file doesn't exist. You'll get log entries if the file is created and accessed.
All logs from auditd are saved in one file (generally /var/log/audit/auditd.log).
You can list the audit rules with auditctl -l.
When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
– J L
Apr 4 '12 at 2:01
@JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
– Gilles
Apr 4 '12 at 7:07
add a comment |
up vote
0
down vote
accepted
Logs from the audit subsystem are based on paths. You can put a watch on a file name even if that file doesn't exist. You'll get log entries if the file is created and accessed.
All logs from auditd are saved in one file (generally /var/log/audit/auditd.log).
You can list the audit rules with auditctl -l.
When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
– J L
Apr 4 '12 at 2:01
@JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
– Gilles
Apr 4 '12 at 7:07
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
Logs from the audit subsystem are based on paths. You can put a watch on a file name even if that file doesn't exist. You'll get log entries if the file is created and accessed.
All logs from auditd are saved in one file (generally /var/log/audit/auditd.log).
You can list the audit rules with auditctl -l.
Logs from the audit subsystem are based on paths. You can put a watch on a file name even if that file doesn't exist. You'll get log entries if the file is created and accessed.
All logs from auditd are saved in one file (generally /var/log/audit/auditd.log).
You can list the audit rules with auditctl -l.
answered Apr 4 '12 at 0:54
Gilles
526k12710521579
526k12710521579
When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
– J L
Apr 4 '12 at 2:01
@JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
– Gilles
Apr 4 '12 at 7:07
add a comment |
When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
– J L
Apr 4 '12 at 2:01
@JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
– Gilles
Apr 4 '12 at 7:07
When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
– J L
Apr 4 '12 at 2:01
When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
– J L
Apr 4 '12 at 2:01
@JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
– Gilles
Apr 4 '12 at 7:07
@JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
– Gilles
Apr 4 '12 at 7:07
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f35651%2fhow-to-know-who-accessed-a-file-or-if-a-file-has-access-monitor-in-linux%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown