Not registered yet?
Register now! It is easy and done in 1 minute and gives you access to special discounts and much more!
Is there any way in unix to find out who accessed certain file in last 1 week? It may be user or some script ftp it to some other place. Can I get a list of user name who accessed certain file? How can I find out who is accessing particular file??
Unless you have extremely unusual logging policies in place, who accessed what file is not logged (that would be a huge amount of information). You can find out who was logged in at what time in the system logs; the last command gives you login history, and other logs such as /var/log/auth.log will tell you how users authenticated and from where they logged in (which terminal, or which host if remotely).
The date at which a file was last read is called its access time, or atime for short. All unix filesystems can store it, but many systems don't record it, because it has a (usually small) performance penalty. ls -ltu /path/to/file or stat /path/to/file shows the file's access time.
ls -ltu /path/to/file
If a user accessed the file and wasn't trying to hide his tracks, his shell history (e.g. ~/.bash_history) may have clues.
To find out what or who has a file open now, use lsof /path/to/file.
To log what happens to a file in the future, there are a few ways:
Use inotifywait. inotifywait -e access /path/to will print a line /path/to/ ACCESS file when someone reads file. This interface won't tell you who accessed the file; you can call lsof /path/to/file as soon as this line appears, but there's a race condition (the access may be over by the time lsof gets going).
inotifywait -e access /path/to
/path/to/ ACCESS file
LoggedFS is a stackable filesystem that provides a view of a filesystem tree, and can perform fancier logging of all accesses through that view. To configure it, see LoggedFS configuration file syntax.
You can use Linux's audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl. Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:
auditctl -w /path/to/file
If you put a watch on a directory, the files in it and its subdirectories recursively are also watched.
Thank you Gilles.. I have this dat file created by the script. I just want to know what happens to that file after it is being created.. non of the other scripts are picking it for further process so I want to see if someone is manually accessing that dat file
@Jack: It's hard to say without knowing a lot more about your setup, but as long as nothing removes or renames the file, it'll be there for the other scripts to pick it up, whether or not someone else is accessing it. From your comment, I think you should be looking at what happens when you run your scripts.
Hey, you could create a nice circular loop with this: syslogd access log file /var/log/audit.log at 10:01\nsyslogd access log file /var/log/audit.log at 10:02\n...
syslogd access log file /var/log/audit.log at 10:01\nsyslogd access log file /var/log/audit.log at 10:02\n...
Above example with inotifywait should be one of (see man page for more info):
inotifywait -e open /pat/to/file
Or with monitoring mode and timestamp:
inotifywait -m --format '%w:%e:%T' --timefmt '%F %T %Z %z'
The previous answer is not the best practice for doing what you ask.
Linux has an API for this. The inotify API http://linux.die.net/man/7/inotify
Welcome to Stack Exchange. Answers are not presented in chronological order, so “previous answer” doesn't convey which answer you mean. I wonder which of the other two you're referring to anyway: one doesn't have anything that looks like good or bad practice, and the other one does mention the inotify API.
Most probably Glen refers to the answer above with default vote sorting. Indeed the most popular answer fails to present a solution to the question. There may be a number of reasons for which one might need to see how many times a files gets accessed for a given time frame.
As explained in unix.stackexchange.com/a/12251/20336 inotify API does not provide info about who accessed a given file. Plus inotify really does not help figuring out who accessed the file last week. You need audit features for that, which requires using software called auditd (however, even this does not help figuring out who accessed the file last week unless you had auditd already running last week).
This is not, in general, feasible. I have seen file systems with enough auditing to make it possible one way or the other, but it is not a general Unix thing, no.