4

I have to give someone access to my computer, but I want to know afterwards which files he accessed... Can I create a log file for that? Is there an existing program for that? I know how to track processes but I just want the files accessed by one user.

Arronical
  • 20,241
Nano
  • 41

3 Answers3

4

Using iwatch

iwatch o_O is a realtime filesystem monitoring program using inotify and a working local mail service

For a better obscurity you should change the mail address and start the deamon as root, or something else … :)

sudo apt-get install iwatch

  1. Create a configuration file with the name iwatch.xml

    <?xml version="1.0" ?>
<!DOCTYPE config SYSTEM "/etc/iwatch/iwatch.dtd" >
<config>
        <guard email="username@localhost" name="iWatch"/>
        <watchlist>
                <title>a title</title>
                <contactpoint email="username@localhost" name="foo bar"/>
                <path type="recursive" events="default">/home/username</path>
        </watchlist>
</config>

  2. Start the deamon

    iwatch -d -f iwatch.xml -p ~/iwatch.pid

    -d Execute the application as daemon. iWatch will run in foregroud without this option.

    -f Specify alternative configuration file. Default is /etc/iwatch/iwatch.xml

    -p Specify an alternate pid file. Default: /var/run/iwatch.pid

  3. Check your local mails ;)

Some interesting events

-e event [,event[,..]]
   Specify a list of events you want to watch. Following are the possible events you
   can use:
access          : file was modified
modify          : file was modified
attrib          : file attributes changed
close_write     : file closed, after being opened in writeable mode
close_nowrite   : file closed, after being opened in read-only mode
close           : file closed, regardless of read/write mode
open            : file was opened
moved_from      : File was moved away from.
moved_to        : File was moved to.
move            : a file/dir within watched directory was moved
create          : a file was created within watched director
delete          : a file was deleted within watched directory
delete_self     : the watched file was deleted
unmount         : file system on which watched file exists was unmounted
q_overflow      : Event queued overflowed
ignored         : File was ignored
isdir           : event occurred against dir
oneshot         : only send event once
all_events      : All events
default         : close_write, create, delete, move, delete_self and move_self.

More information here

A.B.
  • 92,125
4

Don't reinvent the wheel - badly.

Use auditing. Tracking who accesses what files is exactly what auditing is for.

A good link to get started is here.

Auditing goals

By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include:

  • Audit file access and modification
    • See who changed a particular file
    • Detect unauthorized changes
  • Monitoring of system calls and functions
  • Detect anomalies like crashing processes
  • Set tripwires for intrusion detection purposes
  • Record commands used by individual users
Andrew Henle
  • 165
1

Using find

The following solution works not with deleted files and, if you have not set noatime in your fstab, eg:

defaults,noatime

Using find after you have your account back.

find ~ -atime -1

means, accessed less than 1 day.

Or a combination:

find ~ -atime 1 -atime -2

means 1-2 days ago

from man find

-atime n
      File  was  last  accessed n*24 hours ago.  When find figures
      out how many 24-hour periods ago the file was last accessed,
      any fractional part is ignored, so to match -atime +1, a file
      has to have been accessed at least two days ago.

-amin n
      File was last accessed n minutes ago.
A.B.
  • 92,125