[CentOS] find out who accessed a file

Fri Jan 23 21:23:44 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Fri, January 23, 2015 3:13 pm, Jonathan Billings wrote:
> On Fri, Jan 23, 2015 at 03:50:44PM -0500, Tim Dunphy wrote:
>>  Is there any way to find out the last user to access a file on a CentOS
>> 6.5 system?
>
> Unless you're using auditd (or a similar service) to watch the file,
> no.  You could probably use the logs and `last` to see who was logged
> in at the time and make a guess.
>

Also, you can look into shell history files (though that might be cleaned
by users). Admin is allowed to do that when investigates incident.

One more thing: if "access" constitutes execution of that file, you can
use lastcomm (if process accounting is enabled on the system). This only
tells you the command name (not its arguments....) - so if your file is
command and you are interested who executed it and when lastcomm is your
friend.

Good luck!

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++