Hey guys,
Is there any way to find out the last user to access a file on a CentOS 6.5 system?
Thanks Tim
On Fri, Jan 23, 2015 at 03:50:44PM -0500, Tim Dunphy wrote:
Is there any way to find out the last user to access a file on a CentOS 6.5 system?
Unless you're using auditd (or a similar service) to watch the file, no. You could probably use the logs and `last` to see who was logged in at the time and make a guess.
On Fri, January 23, 2015 3:13 pm, Jonathan Billings wrote:
On Fri, Jan 23, 2015 at 03:50:44PM -0500, Tim Dunphy wrote:
Is there any way to find out the last user to access a file on a CentOS 6.5 system?
Unless you're using auditd (or a similar service) to watch the file, no. You could probably use the logs and `last` to see who was logged in at the time and make a guess.
Also, you can look into shell history files (though that might be cleaned by users). Admin is allowed to do that when investigates incident.
One more thing: if "access" constitutes execution of that file, you can use lastcomm (if process accounting is enabled on the system). This only tells you the command name (not its arguments....) - so if your file is command and you are interested who executed it and when lastcomm is your friend.
Good luck!
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Hey guys,
Unless you're using auditd (or a similar service) to watch the file, no. You could probably use the logs and `last` to see who was logged in at the time and make a guess.
Also, you can look into shell history files (though that might be cleaned by users). Admin is allowed to do that when investigates incident. One more thing: if "access" constitutes execution of that file, you can use lastcomm (if process accounting is enabled on the system). This only tells you the command name (not its arguments....) - so if your file is command and you are interested who executed it and when lastcomm is your friend.
Thanks for these suggestions! But one thing that I should have mentioned is that it's not a user logging into the system that's accessing that file. It's actually a php script that's trying to read from it. The script is failing to pull information from the file, and failing. It's trying to access the file as a user account that exists on the system . And we're seeing 'access denied' messages in the apache error logs.
An important difference, that I should have mentioned. Sorry about that! So I'm thinking if I can watch the file using auditd, I can see attempts by the user the script runs as in accessing the file?
Thanks Tim
On Fri, Jan 23, 2015 at 4:23 PM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Fri, January 23, 2015 3:13 pm, Jonathan Billings wrote:
On Fri, Jan 23, 2015 at 03:50:44PM -0500, Tim Dunphy wrote:
Is there any way to find out the last user to access a file on a CentOS 6.5 system?
Unless you're using auditd (or a similar service) to watch the file, no. You could probably use the logs and `last` to see who was logged in at the time and make a guess.
Also, you can look into shell history files (though that might be cleaned by users). Admin is allowed to do that when investigates incident.
One more thing: if "access" constitutes execution of that file, you can use lastcomm (if process accounting is enabled on the system). This only tells you the command name (not its arguments....) - so if your file is command and you are interested who executed it and when lastcomm is your friend.
Good luck!
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Sat, January 24, 2015 11:27 am, Tim Dunphy wrote:
Hey guys,
Unless you're using auditd (or a similar service) to watch the file, no. You could probably use the logs and `last` to see who was logged in at the time and make a guess.
Also, you can look into shell history files (though that might be cleaned by users). Admin is allowed to do that when investigates incident. One more thing: if "access" constitutes execution of that file, you can use lastcomm (if process accounting is enabled on the system). This only tells you the command name (not its arguments....) - so if your file is command and you are interested who executed it and when lastcomm is your friend.
Thanks for these suggestions! But one thing that I should have mentioned is that it's not a user logging into the system that's accessing that file. It's actually a php script that's trying to read from it. The script is failing to pull information from the file, and failing. It's trying to access the file as a user account that exists on the system . And we're seeing 'access denied' messages in the apache error logs.
If it is php script that runs by web server then the user web server daemon runs as will be the one who needs access. On centos with apache web server it is usually unprivileged user "apache (as apache starts as privileges user root to read certificate secret key, then drops privileges). You need to have file in question be readable as apache. Easy debugging would be: get root shell, then
su - apache cat /path/to/file/in/question
(assuming it is ASCII text file). One other thing I would try: disable selinux, and see if that lets apache read file, e.g.:
setenforce 0
Also: posting relevant "access denied" lines from web server logs may help other to spot something.
Valeri
An important difference, that I should have mentioned. Sorry about that! So I'm thinking if I can watch the file using auditd, I can see attempts by the user the script runs as in accessing the file?
Thanks Tim
On Fri, Jan 23, 2015 at 4:23 PM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Fri, January 23, 2015 3:13 pm, Jonathan Billings wrote:
On Fri, Jan 23, 2015 at 03:50:44PM -0500, Tim Dunphy wrote:
Is there any way to find out the last user to access a file on a
CentOS
6.5 system?
Unless you're using auditd (or a similar service) to watch the file, no. You could probably use the logs and `last` to see who was logged in at the time and make a guess.
Also, you can look into shell history files (though that might be cleaned by users). Admin is allowed to do that when investigates incident.
One more thing: if "access" constitutes execution of that file, you can use lastcomm (if process accounting is enabled on the system). This only tells you the command name (not its arguments....) - so if your file is command and you are interested who executed it and when lastcomm is your friend.
Good luck!
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Sat, Jan 24, 2015 at 12:32:01PM -0600, Valeri Galtsev wrote:
One other thing I would try: disable selinux, and see if that lets apache read file, e.g.:
setenforce 0
Setting SELinux to permissive temporarily is a good start, although it's also helpful to check the audit logs, with:
ausearch -m avc -ts today
...to see if SELinux prevented access today. It's quite likely SELinux preventing access, particularly if you're using PHP to read a file that's not in one of the standard WWW paths that the web server is allowed to access. SELinux prevents the web server from reading, writing or executing files outside of a fairly select few locations.
-
Jonathan Billings -
Tim Dunphy -
Valeri Galtsev