By Jack

2011-04-28 20:36:01 8 Comments

Is there any way in unix to find out who accessed certain file in last 1 week? It may be user or some script ftp it to some other place. Can I get a list of user name who accessed certain file? How can I find out who is accessing particular file??


@Gilles 'SO- stop being evil' 2011-04-28 21:05:26

Unless you have extremely unusual logging policies in place, who accessed what file is not logged (that would be a huge amount of information). You can find out who was logged in at what time in the system logs; the last command gives you login history, and other logs such as /var/log/auth.log will tell you how users authenticated and from where they logged in (which terminal, or which host if remotely).

The date at which a file was last read is called its access time, or atime for short. All unix filesystems can store it, but many systems don't record it, because it has a (usually small) performance penalty. ls -ltu /path/to/file or stat /path/to/file shows the file's access time.

If a user accessed the file and wasn't trying to hide his tracks, his shell history (e.g. ~/.bash_history) may have clues.

To find out what or who has a file open now, use lsof /path/to/file.

To log what happens to a file in the future, there are a few ways:

  • Use inotifywait. inotifywait -e access /path/to will print a line /path/to/ ACCESS file when someone reads file. This interface won't tell you who accessed the file; you can call lsof /path/to/file as soon as this line appears, but there's a race condition (the access may be over by the time lsof gets going).

  • LoggedFS is a stackable filesystem that provides a view of a filesystem tree, and can perform fancier logging of all accesses through that view. To configure it, see LoggedFS configuration file syntax.

  • You can use Linux's audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl. Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:

    auditctl -w /path/to/file

    If you put a watch on a directory, the files in it and its subdirectories recursively are also watched.

@Jack 2011-04-28 21:13:39

Thank you Gilles.. I have this dat file created by the script. I just want to know what happens to that file after it is being created.. non of the other scripts are picking it for further process so I want to see if someone is manually accessing that dat file

@Gilles 'SO- stop being evil' 2011-04-28 21:17:30

@Jack: It's hard to say without knowing a lot more about your setup, but as long as nothing removes or renames the file, it'll be there for the other scripts to pick it up, whether or not someone else is accessing it. From your comment, I think you should be looking at what happens when you run your scripts.

@penguin359 2011-04-28 21:24:14

Hey, you could create a nice circular loop with this: syslogd access log file /var/log/audit.log at 10:01\nsyslogd access log file /var/log/audit.log at 10:02\n...

@Milan Kerslager 2016-09-05 08:05:26

Above example with inotifywait should be one of (see man page for more info):

inotifywait /path/to/file
inotifywait -e open /pat/to/file

Or with monitoring mode and timestamp:

inotifywait -m --format '%w:%e:%T' --timefmt '%F %T %Z %z'

@Glen 2011-04-29 08:47:39

The previous answer is not the best practice for doing what you ask. Linux has an API for this. The inotify API

  1. You can write a C program to do what you want just calling the inotify API directly
  2. You can use kfsmd, a daemon that uses inotify
  3. If you want something that works across platforms (inotify is Linux specific) and you are using Java, JNotify works across platforms(Linux, Mac, Windows), abstracting the native OS' underlying API.

@Gilles 'SO- stop being evil' 2011-04-29 10:14:06

Welcome to Stack Exchange. Answers are not presented in chronological order, so “previous answer” doesn't convey which answer you mean. I wonder which of the other two you're referring to anyway: one doesn't have anything that looks like good or bad practice, and the other one does mention the inotify API.

@Wtower 2017-03-03 23:15:54

Most probably Glen refers to the answer above with default vote sorting. Indeed the most popular answer fails to present a solution to the question. There may be a number of reasons for which one might need to see how many times a files gets accessed for a given time frame.

@Mikko Rantalainen 2018-03-16 13:43:14

As explained in inotify API does not provide info about who accessed a given file. Plus inotify really does not help figuring out who accessed the file last week. You need audit features for that, which requires using software called auditd (however, even this does not help figuring out who accessed the file last week unless you had auditd already running last week).

@tchrist 2011-04-28 21:07:27

This is not, in general, feasible. I have seen file systems with enough auditing to make it possible one way or the other, but it is not a general Unix thing, no.

Related Questions

Sponsored Content

1 Answered Questions

2 Answered Questions

[SOLVED] How to set (find) atime in seconds?

2 Answered Questions

2 Answered Questions

[SOLVED] Monitoring what program calls an executable file

3 Answered Questions

[SOLVED] Is there any way to tell exactly what files a command is accessing?

  • 2014-10-11 23:58:17
  • RPiAwesomeness
  • 334 View
  • 4 Score
  • 3 Answer
  • Tags:   files resources

1 Answered Questions

[SOLVED] Monitor file access count by user

2 Answered Questions

[SOLVED] Is it possible to know who visited my home directory?

2 Answered Questions

[SOLVED] How to find out the file offset of an opened file?

  • 2012-03-22 15:50:30
  • Ta Thanh Dinh
  • 11129 View
  • 26 Score
  • 2 Answer
  • Tags:   linux open-files

Sponsored Content