4

I have to give someone access to my computer, but I want to know afterwards which files he accessed... Can I create a log file for that? Is there an existing program for that? I know how to track processes but I just want the files accessed by one user.

Arronical
  • 19,653
  • 18
  • 73
  • 128
Nano
  • 41
  • 1
  • 2

3 Answers3

4

Using iwatch

iwatch o_O is a realtime filesystem monitoring program using inotify and a working local mail service

For a better obscurity you should change the mail address and start the deamon as root, or something else … :)

sudo apt-get install iwatch

  1. Create a configuration file with the name iwatch.xml

    <?xml version="1.0" ?>
<!DOCTYPE config SYSTEM "/etc/iwatch/iwatch.dtd" >
<config>
        <guard email="username@localhost" name="iWatch"/>
        <watchlist>
                <title>a title</title>
                <contactpoint email="username@localhost" name="foo bar"/>
                <path type="recursive" events="default">/home/username</path>
        </watchlist>
</config>

  2. Start the deamon

    iwatch -d -f iwatch.xml -p ~/iwatch.pid

    -d Execute the application as daemon. iWatch will run in foregroud without this option.

    -f Specify alternative configuration file. Default is /etc/iwatch/iwatch.xml

    -p Specify an alternate pid file. Default: /var/run/iwatch.pid

  3. Check your local mails ;)

Some interesting events

-e event [,event[,..]]
   Specify a list of events you want to watch. Following are the possible events you
   can use:
access          : file was modified
modify          : file was modified
attrib          : file attributes changed
close_write     : file closed, after being opened in writeable mode
close_nowrite   : file closed, after being opened in read-only mode
close           : file closed, regardless of read/write mode
open            : file was opened
moved_from      : File was moved away from.
moved_to        : File was moved to.
move            : a file/dir within watched directory was moved
create          : a file was created within watched director
delete          : a file was deleted within watched directory
delete_self     : the watched file was deleted
unmount         : file system on which watched file exists was unmounted
q_overflow      : Event queued overflowed
ignored         : File was ignored
isdir           : event occurred against dir
oneshot         : only send event once
all_events      : All events
default         : close_write, create, delete, move, delete_self and move_self.

More information here

A.B.
  • 89,123
  • 21
  • 245
  • 323
4

Don't reinvent the wheel - badly.

Use auditing. Tracking who accesses what files is exactly what auditing is for.

A good link to get started is here.

Auditing goals

By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include:

  • Audit file access and modification
    • See who changed a particular file
    • Detect unauthorized changes
  • Monitoring of system calls and functions
  • Detect anomalies like crashing processes
  • Set tripwires for intrusion detection purposes
  • Record commands used by individual users
Andrew Henle
  • 165
  • 5
1

Using find

The following solution works not with deleted files and, if you have not set noatime in your fstab, eg:

defaults,noatime

Using find after you have your account back.

find ~ -atime -1

means, accessed less than 1 day.

Or a combination:

find ~ -atime 1 -atime -2

means 1-2 days ago

from man find

-atime n
      File  was  last  accessed n*24 hours ago.  When find figures
      out how many 24-hour periods ago the file was last accessed,
      any fractional part is ignored, so to match -atime +1, a file
      has to have been accessed at least two days ago.

-amin n
      File was last accessed n minutes ago.
A.B.
  • 89,123
  • 21
  • 245
  • 323
  • Nice, but you must also either set the `atime` attribute to the files to track prior the access (using `chattr`) or mount the file system with the `atime` option: http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap6sec73.html – kos Jul 13 '15 at 16:24
  • @kos I thought, `defaults` includes `atime` – A.B. Jul 13 '15 at 16:27
  • The act of deleting files is not solved with this ;) – Rinzwind Jul 13 '15 at 16:28
  • @Rinzwind Umpf, you're right. – A.B. Jul 13 '15 at 16:29
  • Maybe inotify. But that probably works on a per file... so that will be lots of work :( – Rinzwind Jul 13 '15 at 16:31
  • @kos, you can recycle your answer: http://askubuntu.com/a/615435/367165 – A.B. Jul 13 '15 at 16:33
  • I don't know, now I can't, if you want to recycle it I won't mind, you gave the same answer as well! I'm trying to figure out which is the default behavior for `atime` in Ubuntu but I'm not on Ubuntu right now, on Debian `atime` is not changed for a simple read, if you want to test it on Ubuntu I used this: `ls -l --time=atime` – kos Jul 13 '15 at 16:37
  • Works in Ubuntu, tested. – A.B. Jul 13 '15 at 16:39
  • Ok +1 then, if you want to add the inoticoming thing you should feel free tough! – kos Jul 13 '15 at 16:42
  • @kos I'm not sure if it works with sub-folders. – A.B. Jul 13 '15 at 17:06
  • @Rinzwind see my other answer =) – A.B. Jul 13 '15 at 18:19
  • No, probably not, or too much hassle to work out a solution. – kos Jul 13 '15 at 18:54