It provides a way to map activity to certain accounts, enabling administrators to trace:Ĭombined with strong security concepts such as encryption-protected authentication and authorization, auditing can ensure almost complete accountability. w /scratch/somefile.The general idea of auditing is to help keep user actions in check. # 2=shutdown, 1= goto runlevel 1, 0=no affect # Increase the buffers to survive stress events. Search for a line having WATCHTHIS or whatever you made the key, and the uid= and gid= is what you are after. The var/log/audit/audit.log entries, one per line, there will be many, each will have a timestamp in epoch time format that you will have to convert to human readable month/day/year/hr/min/sec. k optional, a filter key that is placed in audit.log whenever this audit event is triggered, highly recommended otherwise how are you going to find this event in audit.log change this accordingly make something unique that is easily searchable in a billion lines of audit.log.p the permissions filter, you have a combination of 4 total choices: read, write, execute, or append./etc/passwd we are watching this file, change this accordingly.Web search more on linux audit watch file -w /etc/passwd -p rwxa -k WATCHTHIS This is likely not the only way to do what you ask, but here is a rule that should do what you ask. Also peruse nf to get a full understanding of what is going on. You have to manually add rules as you see fit to your les file. Strictly doing what you ask: one specific file, yes.Ĭonfigure /etc/audit/les properly and service enable auditd and have the auditing service running and logging to /var/log/audit/audit.logīy default I think for most linux distributions auditing is on but the rules file is basically empty so you get very rudimentary items in the audit.log. Is there any way in unix to find out who accessed certain file in last 1 week? If you put a watch on a directory, the files in it and its subdirectories recursively are also watched. To start watching a particular file: auditctl -w /path/to/file Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). Make sure the auditd daemon is started, then configure what you want to log with auditctl. You can use Linux's audit subsystem to log a large number of things, including filesystem accesses. To configure it, see LoggedFS configuration file syntax. LoggedFS is a stackable filesystem that provides a view of a filesystem tree, and can perform fancier logging of all accesses through that view. This interface won't tell you who accessed the file you can call lsof /path/to/file as soon as this line appears, but there's a race condition (the access may be over by the time lsof gets going). inotifywait -me access /path/to will print a line /path/to/ ACCESS file when someone reads file. To log what happens to a file in the future, there are a few ways: To find out what or who has a file open now, use lsof /path/to/file. If a user accessed the file and wasn't trying to hide his tracks, his shell history (e.g. ls -ltu /path/to/file or stat /path/to/file shows the file's access time. All unix filesystems can store it, but many systems don't record it, because it has a (usually small) performance penalty. The date at which a file was last read is called its access time, or atime for short. You can find out who was logged in at what time in the system logs the last command gives you login history, and other logs such as /var/log/auth.log will tell you how users authenticated and from where they logged in (which terminal, or which host if remotely). Unless you have extremely unusual logging policies in place, who accessed what file is not logged (that would be a huge amount of information).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |