3

I would like to know when a specific file is being read and logs the process ID and executable name and also notify me by sending an email using mail.

Can kernel module do this? Is kernel module the only way to achieve this?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
drdot
  • 157
  • 5

1 Answers1

2

Reading a file invokes kernel code, so the kernel always knows. The question is how to get it to notify you.

On Linux, you can use the audit subsystem. Run auditctl to add a rule to watch this file:

auditctl -w /path/to/specific/file

The event is sent to the audit logs. You can request audit events to be emailed by configuring audispd — see How to send audit logs with audisp-remote and receive them with netcat for examples. Alternatively, set up email of audit reports; see Scott Pack's “Stump the Chump with Auditd 01”.

Community
  • 1
Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • This utitlity is great. However, if I use $cat , this does not get logged by the tool. Why is that and how can I keep track of $cat to read files? – drdot Mar 06 '17 at 03:42
  • @dannycrane Access by `cat` gets logged, like from any other program. If you don't see an entry in the audit logs (`/var/log/audit/audit.log`) then you aren't running the audit daemon or you didn't set the rule with the right path. – Gilles 'SO- stop being evil' Mar 06 '17 at 11:09
  • but vim gets logged.... – drdot Mar 06 '17 at 18:38
  • @dannycrane Strange. Does adding `-p rwxa` to the `auditctl` call make any difference? (I think it's the default so it shouldn't make a difference but I don't see what could be the difference between vim and cat.) – Gilles 'SO- stop being evil' Mar 06 '17 at 18:49