How to know who accessed a file or if a file has 'access' monitor in linux

I'm a noob and have some questions about viewing who accessed a file.

I found there are ways to see if a file was accessed (not modified/changed) through audit subsystem and inotify.

However, from what I have read online, according to here: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

it says to 'watch/monitor' file, I have to set a watch by using command like:

# auditctl -w /etc/passwd -p war -k password-file

So if I create a new file or directory, do I have to use audit/inotify command to 'set' watch first to 'watch' who accessed the new file?

Also is there a way to know if a directory is being 'watched' through audit subsystem or inotify? How/where can I check the log of a file?

edit:

from further googling, I found this page saying: http://www.kernel.org/doc/man-pages/online/pages/man7/inotify.7.html

The inotify API provides no information about the user or process that triggered the inotify event.

So I guess this means that I cant figure out which user accessed a file? Only audit subsystem can be used to figure out who accessed a file?

J L

Posted 2012-04-03T22:03:44.173

Reputation: 139

Answers

This is a brute force approach but you could look through the user's .bash_history in their home directory. This will only store a certain amount of lines though.

This might work, I am not saying it will work:

This assumes that your home directories are in /home and that the user did not remove their bash history file or move their history file.

for i in `ls /home/` do 

    echo "CURRENT USER IS $i"
    grep <filename> /home/$i/.bash_history | less 

done

that should find any references to in the bash histories of the users on the hosts.

Then you could grep the output of last to see who was logged in around the time that the timestamp on the file you are inspecting changed. Look for times close to the time that the timestamp on the file says.

You will also want to look for references to the echo command or anything using redirection as the file could have been modified with a redirection i.e. echo "test" > file_I_should_not_edit or echo "foo" >> append_to_file_i_should_not_edit.

I wish I could tell you an exact answer for your problem.

Jarrod Wageman

Posted 2012-04-03T22:03:44.173

Reputation: 713