[CentOS] find out who accessed a file

Sat Jan 24 17:27:58 UTC 2015
Tim Dunphy <bluethundr at gmail.com>

Hey guys,

Unless you're using auditd (or a similar service) to watch the file,
no.  You could probably use the logs and `last` to see who was logged
in at the time and make a guess.



Also, you can look into shell history files (though that might be cleaned
by users). Admin is allowed to do that when investigates incident.
One more thing: if "access" constitutes execution of that file, you can
use lastcomm (if process accounting is enabled on the system). This only
tells you the command name (not its arguments....) - so if your file is
command and you are interested who executed it and when lastcomm is your
friend.



Thanks for these suggestions! But one thing that I should have mentioned is
that it's not a user logging into the system that's accessing that file.
It's actually a php script that's trying to read from it. The script is
failing to pull information from the file, and failing. It's trying to
access the file as a user account that exists on the system . And we're
seeing 'access denied' messages in the apache error logs.

An important difference, that I should have mentioned. Sorry about that! So
I'm thinking if I can watch the file using auditd, I can see attempts by
the user the script runs as in accessing the file?

Thanks
Tim

On Fri, Jan 23, 2015 at 4:23 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu>
wrote:

>
> On Fri, January 23, 2015 3:13 pm, Jonathan Billings wrote:
> > On Fri, Jan 23, 2015 at 03:50:44PM -0500, Tim Dunphy wrote:
> >>  Is there any way to find out the last user to access a file on a CentOS
> >> 6.5 system?
> >
> > Unless you're using auditd (or a similar service) to watch the file,
> > no.  You could probably use the logs and `last` to see who was logged
> > in at the time and make a guess.
> >
>
> Also, you can look into shell history files (though that might be cleaned
> by users). Admin is allowed to do that when investigates incident.
>
> One more thing: if "access" constitutes execution of that file, you can
> use lastcomm (if process accounting is enabled on the system). This only
> tells you the command name (not its arguments....) - so if your file is
> command and you are interested who executed it and when lastcomm is your
> friend.
>
> Good luck!
>
> Valeri
>
> ++++++++++++++++++++++++++++++++++++++++
> Valeri Galtsev
> Sr System Administrator
> Department of Astronomy and Astrophysics
> Kavli Institute for Cosmological Physics
> University of Chicago
> Phone: 773-702-4247
> ++++++++++++++++++++++++++++++++++++++++
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B