How to know who accessed a file or if a file has 'access' monitor in linux

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I have some questions about viewing who accessed a file.



I found there are ways to see if a file was accessed (not modified/changed) through audit subsystem and inotify.



However, from what I have read online, according to here:
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html



it says to 'watch/monitor' file, I have to set a watch by using command like:



# auditctl -w /etc/passwd -p war -k password-file


So if I create a new file or directory, do I have to use audit/inotify command to 'set' watch first to 'watch' who accessed the new file?



Also is there a way to know if a directory is being 'watched' through audit subsystem or inotify? How/where can I check the log of a file?



edit:



from further googling, I found this page saying:
http://www.kernel.org/doc/man-pages/online/pages/man7/inotify.7.html



The inotify API provides no information about the user or process that triggered the inotify event.



So I guess this means that I cant figure out which user accessed a file? Only audit subsystem can be used to figure out who accessed a file?










share|improve this question



























    up vote
    1
    down vote

    favorite












    I have some questions about viewing who accessed a file.



    I found there are ways to see if a file was accessed (not modified/changed) through audit subsystem and inotify.



    However, from what I have read online, according to here:
    http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html



    it says to 'watch/monitor' file, I have to set a watch by using command like:



    # auditctl -w /etc/passwd -p war -k password-file


    So if I create a new file or directory, do I have to use audit/inotify command to 'set' watch first to 'watch' who accessed the new file?



    Also is there a way to know if a directory is being 'watched' through audit subsystem or inotify? How/where can I check the log of a file?



    edit:



    from further googling, I found this page saying:
    http://www.kernel.org/doc/man-pages/online/pages/man7/inotify.7.html



    The inotify API provides no information about the user or process that triggered the inotify event.



    So I guess this means that I cant figure out which user accessed a file? Only audit subsystem can be used to figure out who accessed a file?










    share|improve this question

























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I have some questions about viewing who accessed a file.



      I found there are ways to see if a file was accessed (not modified/changed) through audit subsystem and inotify.



      However, from what I have read online, according to here:
      http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html



      it says to 'watch/monitor' file, I have to set a watch by using command like:



      # auditctl -w /etc/passwd -p war -k password-file


      So if I create a new file or directory, do I have to use audit/inotify command to 'set' watch first to 'watch' who accessed the new file?



      Also is there a way to know if a directory is being 'watched' through audit subsystem or inotify? How/where can I check the log of a file?



      edit:



      from further googling, I found this page saying:
      http://www.kernel.org/doc/man-pages/online/pages/man7/inotify.7.html



      The inotify API provides no information about the user or process that triggered the inotify event.



      So I guess this means that I cant figure out which user accessed a file? Only audit subsystem can be used to figure out who accessed a file?










      share|improve this question















      I have some questions about viewing who accessed a file.



      I found there are ways to see if a file was accessed (not modified/changed) through audit subsystem and inotify.



      However, from what I have read online, according to here:
      http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html



      it says to 'watch/monitor' file, I have to set a watch by using command like:



      # auditctl -w /etc/passwd -p war -k password-file


      So if I create a new file or directory, do I have to use audit/inotify command to 'set' watch first to 'watch' who accessed the new file?



      Also is there a way to know if a directory is being 'watched' through audit subsystem or inotify? How/where can I check the log of a file?



      edit:



      from further googling, I found this page saying:
      http://www.kernel.org/doc/man-pages/online/pages/man7/inotify.7.html



      The inotify API provides no information about the user or process that triggered the inotify event.



      So I guess this means that I cant figure out which user accessed a file? Only audit subsystem can be used to figure out who accessed a file?







      linux security monitoring






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 7 at 23:40









      Rui F Ribeiro

      38.7k1479128




      38.7k1479128










      asked Apr 3 '12 at 22:02









      J L

      1184




      1184




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote



          accepted










          Logs from the audit subsystem are based on paths. You can put a watch on a file name even if that file doesn't exist. You'll get log entries if the file is created and accessed.



          All logs from auditd are saved in one file (generally /var/log/audit/auditd.log).



          You can list the audit rules with auditctl -l.






          share|improve this answer




















          • When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
            – J L
            Apr 4 '12 at 2:01










          • @JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
            – Gilles
            Apr 4 '12 at 7:07










          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f35651%2fhow-to-know-who-accessed-a-file-or-if-a-file-has-access-monitor-in-linux%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote



          accepted










          Logs from the audit subsystem are based on paths. You can put a watch on a file name even if that file doesn't exist. You'll get log entries if the file is created and accessed.



          All logs from auditd are saved in one file (generally /var/log/audit/auditd.log).



          You can list the audit rules with auditctl -l.






          share|improve this answer




















          • When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
            – J L
            Apr 4 '12 at 2:01










          • @JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
            – Gilles
            Apr 4 '12 at 7:07














          up vote
          0
          down vote



          accepted










          Logs from the audit subsystem are based on paths. You can put a watch on a file name even if that file doesn't exist. You'll get log entries if the file is created and accessed.



          All logs from auditd are saved in one file (generally /var/log/audit/auditd.log).



          You can list the audit rules with auditctl -l.






          share|improve this answer




















          • When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
            – J L
            Apr 4 '12 at 2:01










          • @JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
            – Gilles
            Apr 4 '12 at 7:07












          up vote
          0
          down vote



          accepted







          up vote
          0
          down vote



          accepted






          Logs from the audit subsystem are based on paths. You can put a watch on a file name even if that file doesn't exist. You'll get log entries if the file is created and accessed.



          All logs from auditd are saved in one file (generally /var/log/audit/auditd.log).



          You can list the audit rules with auditctl -l.






          share|improve this answer












          Logs from the audit subsystem are based on paths. You can put a watch on a file name even if that file doesn't exist. You'll get log entries if the file is created and accessed.



          All logs from auditd are saved in one file (generally /var/log/audit/auditd.log).



          You can list the audit rules with auditctl -l.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Apr 4 '12 at 0:54









          Gilles

          526k12710521579




          526k12710521579











          • When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
            – J L
            Apr 4 '12 at 2:01










          • @JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
            – Gilles
            Apr 4 '12 at 7:07
















          • When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
            – J L
            Apr 4 '12 at 2:01










          • @JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
            – Gilles
            Apr 4 '12 at 7:07















          When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
          – J L
          Apr 4 '12 at 2:01




          When you say that a file that doesn't even exist can be watched, I assume you mean if a file or directory is created in a directory that is being watched, the new files & directories are automatically watched too?
          – J L
          Apr 4 '12 at 2:01












          @JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
          – Gilles
          Apr 4 '12 at 7:07




          @JL Yes, the point is that the watch is associated to a path (or path fragment, if that path is or becomes a directory) and not to, say, an inode.
          – Gilles
          Apr 4 '12 at 7:07

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f35651%2fhow-to-know-who-accessed-a-file-or-if-a-file-has-access-monitor-in-linux%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          Peggy Mitchell

          The Forum (Inglewood, California)

          Palaiologos