Hey guys,
Unless you're using auditd (or a similar service) to watch the file, no. You could probably use the logs and `last` to see who was logged in at the time and make a guess.
Also, you can look into shell history files (though that might be cleaned by users). Admin is allowed to do that when investigates incident. One more thing: if "access" constitutes execution of that file, you can use lastcomm (if process accounting is enabled on the system). This only tells you the command name (not its arguments....) - so if your file is command and you are interested who executed it and when lastcomm is your friend.
Thanks for these suggestions! But one thing that I should have mentioned is that it's not a user logging into the system that's accessing that file. It's actually a php script that's trying to read from it. The script is failing to pull information from the file, and failing. It's trying to access the file as a user account that exists on the system . And we're seeing 'access denied' messages in the apache error logs.
An important difference, that I should have mentioned. Sorry about that! So I'm thinking if I can watch the file using auditd, I can see attempts by the user the script runs as in accessing the file?
Thanks Tim
On Fri, Jan 23, 2015 at 4:23 PM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Fri, January 23, 2015 3:13 pm, Jonathan Billings wrote:
On Fri, Jan 23, 2015 at 03:50:44PM -0500, Tim Dunphy wrote:
Is there any way to find out the last user to access a file on a CentOS 6.5 system?
Unless you're using auditd (or a similar service) to watch the file, no. You could probably use the logs and `last` to see who was logged in at the time and make a guess.
Also, you can look into shell history files (though that might be cleaned by users). Admin is allowed to do that when investigates incident.
One more thing: if "access" constitutes execution of that file, you can use lastcomm (if process accounting is enabled on the system). This only tells you the command name (not its arguments....) - so if your file is command and you are interested who executed it and when lastcomm is your friend.
Good luck!
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos