1
2
I'm trying to find the number of times a file has been opened (since the OS inception). I'm thinking of doing this via stat, but most flags only return the difference between the LAST time it was opened.
mynameis
Posted 2014-11-24T21:48:49.257
Reputation: 11
2
This answer explains what needs to be done, but the specifics of how depend on your distribution, your setup and purpose, and which tools you choose to parse the data:
What you are looking for is the Auditd daemon within Linux. From the manpage auditd(8):
auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the rules in
/etc/audit/audit.rulesare read by auditctl and loaded into the kernel. Alterately, there is also an augenrules program that reads rules located in/etc/audit/rules.d/and compiles them into anaudit.rulesfile. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in theauditd.conffile.
Auditing uses functions built into the kernel to create logs whenever certain system calls are made, per your specifications. Once setup, you will find the logs in /var/log/audit or somewhere similar per your distribution.
To audit access to a file, you would use something similar to:
auditctl -w /path/to/interesting/files/ -p rwxa -k myfileaudits
Where -w specifies the path to the files -p specifies that the system will audit reads writes, executions, and attribute or permission changes. Finally, the -k option allows you to specify an arbitrary key for use when searching for this rule with ausearch.
Note, that although auditd works off system calls, -p r does not track the read function, but rather open so that the logs aren't flooded with every read, but an entry is made everytime a file is opened for reading.
Once one has auditing turned on, and has the logs in place, ausearch can be used to parse these logs for all access to the specified files, and standard text or statistics tools can be used to generate the tallies. These can vary from grep and wc -l to count the log entries, or some combination of scripting and GNU-R or gnuplot to generate graphs and reports.
Another alternative is to use SELinux. While SELinux is a tool for access control that normally only logs access-denials, it can be setup to log ALL access, and provide similar information to auditd.
Edit: If a record of access is required from the beginning: for instance, during the OS installation, during boot prior to auditd starting, or prior to auditd installation, then more extreme measures are required. A custom installer or custom initrd.img boot file may need to be created in order to load the required debugger or kernel level tracing tools. These tracing tools could include dtrace, perf, SystemTap, ktap or similar debugger level tools to catch access during boot. A good reference is http://www.brendangregg.com/linuxperf.html and an example of this type of analysis for system performance, rather than auditing is bootchart.
Setting this up is beyond the scope of my experience however - hope the references prove useful.
glallen
Posted 2014-11-24T21:48:49.257
Reputation: 1 886
+1 - This is a great answer about setting up to perform that. The question asks about obtaining this information from OS inception, which implies retroactively. Can you expand you answer to address whether this is possible? – fixer1234 – 2014-11-24T23:29:30.753
@fixer1234 I'd say it depends how 'OS inception' is defined. If tracking a 'production thing' then install, hardening, audits and logging, baselines, and backups, should be done BEFORE you put the OS into production. So unless you're analysing the install process itself, just configure auditing before you install anything else. If not, and you want to track OS level 'things' starting somewhere between bare-metal, the first read/writes of the installer, or 'first-boot,' then either a custom initrd, or custom installer with debug-level functions is in order. Adding edits to this effect. – glallen – 2014-11-25T01:15:07.197
1My read on the question was actually something different. I thought it was asking if there is a way to know after the fact. You have an existing system created some time in the past. At this point you want to know the history of a file's usage. Is there a history or parameter associated with each file that is part of the filesystem that indicates the number of times any arbitrary file was opened. It sounds like you're saying the answer is no. You can set that up to track usage from that point forward. If you need it, you need to have set it up in advance. – fixer1234 – 2014-11-25T02:25:08.373
Correct. It must be setup. See the structure of an inode in ext4 ... there is no entry in that struct for access counts, only entries such as i_*time for various interaction times: access, inode change, data modification, and deletion.
Is it possible to write a script that will count the number of times a file or directory is opened starting now? – mynameis – 2014-11-26T03:28:36.837
I'm not sure that this information is actually tracked by most filesystems. You may need to look at using tools to monitor specific files and report when they are opened. I'm sure these exist, but not being a Linux user myself, I don't know the name of said tools. – Crippledsmurf – 2014-11-24T22:04:20.707