Hey guys, Unless you're using auditd (or a similar service) to watch the file, no. You could probably use the logs and `last` to see who was logged in at the time and make a guess. Also, you can look into shell history files (though that might be cleaned by users). Admin is allowed to do that when investigates incident. One more thing: if "access" constitutes execution of that file, you can use lastcomm (if process accounting is enabled on the system). This only tells you the command name (not its arguments....) - so if your file is command and you are interested who executed it and when lastcomm is your friend. Thanks for these suggestions! But one thing that I should have mentioned is that it's not a user logging into the system that's accessing that file. It's actually a php script that's trying to read from it. The script is failing to pull information from the file, and failing. It's trying to access the file as a user account that exists on the system . And we're seeing 'access denied' messages in the apache error logs. An important difference, that I should have mentioned. Sorry about that! So I'm thinking if I can watch the file using auditd, I can see attempts by the user the script runs as in accessing the file? Thanks Tim On Fri, Jan 23, 2015 at 4:23 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > > On Fri, January 23, 2015 3:13 pm, Jonathan Billings wrote: > > On Fri, Jan 23, 2015 at 03:50:44PM -0500, Tim Dunphy wrote: > >> Is there any way to find out the last user to access a file on a CentOS > >> 6.5 system? > > > > Unless you're using auditd (or a similar service) to watch the file, > > no. You could probably use the logs and `last` to see who was logged > > in at the time and make a guess. > > > > Also, you can look into shell history files (though that might be cleaned > by users). Admin is allowed to do that when investigates incident. > > One more thing: if "access" constitutes execution of that file, you can > use lastcomm (if process accounting is enabled on the system). This only > tells you the command name (not its arguments....) - so if your file is > command and you are interested who executed it and when lastcomm is your > friend. > > Good luck! > > Valeri > > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B