[CentOS] find out who accessed a file

Fri Jan 23 21:23:44 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Fri, January 23, 2015 3:13 pm, Jonathan Billings wrote:
> On Fri, Jan 23, 2015 at 03:50:44PM -0500, Tim Dunphy wrote:
>>  Is there any way to find out the last user to access a file on a CentOS
>> 6.5 system?
> Unless you're using auditd (or a similar service) to watch the file,
> no.  You could probably use the logs and `last` to see who was logged
> in at the time and make a guess.

Also, you can look into shell history files (though that might be cleaned
by users). Admin is allowed to do that when investigates incident.

One more thing: if "access" constitutes execution of that file, you can
use lastcomm (if process accounting is enabled on the system). This only
tells you the command name (not its arguments....) - so if your file is
command and you are interested who executed it and when lastcomm is your

Good luck!


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247