6

This is a hypothetical question, not a problem I currently have.

How do you detect which process has used a file now or in the past?

To find out which process is accessing filename right now, lsof filename or fuser filename will do the work. But what if one wanted to know which processes accessed filename in the last 24 hours?

One could get away with this ugly (*) hack

while true; do fuser filename; sleep 1; done

and let it run for 24 hours in another term. But is there actually a better system, without setting up a whole audit framework?



(*) not to mention that fuser could fail to detect the access if it took less than 1 sec...

dr_
  • 28,763
  • 21
  • 89
  • 133

1 Answers1

8

If your system has audit enabled, you can use that subsystem to audit access to specific files.

For example, to audit files opening (or trying to open) the /etc/shadow file, you can use the following rule:

auditctl -a exit,always -S open -F path=/etc/shadow

Later on, you can then use this command to list the audited events corresponding to accesses to this file:

ausearch -f /etc/shadow

Note you need to be root to configure and query the audit system.

See the auditctl(8) man page for more details on how to set rules and the ausearch(8) man page for details on how to query the audit logs.

If you don't have audit enabled, you should look up information on how to do that specific to your Linux distribution, since details will vary.

filbranden
  • 21,113
  • 3
  • 58
  • 84