Solved

Monitoring file access for security purposes (fuser?)

Posted on 1999-01-28
4
314 Views
Last Modified: 2010-05-18
We have gotten wind of a potential 'mole' within the company who (we think) is rooting around in everyone's home directories (including Uniplex/ascii documents) and we want to get evidence of this.  I was intending setting up a small script to continually monitor all files in a directory waiting for one to report it was being used by 'fuser' then cut the user part out of the response to show who was accessing the file and when.  Trouble is, 'fuser' doesn't seem to be triggered off on a text/uniplex file with any of 'vi', 'cat', or 'view' so the 'fuser' never shows up as the file being used... is there a better way to record the info I'm after - I'm unaware of any arguments on fuser apart from 'k' and 'u' and they're not going to help.  Would I be better off doing a pseudo-vi (and cat and view) that calls the real ones, yet records who, what and when?
0
Comment
Question by:carled
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:mliberi
ID: 2009436
Wouldn't be better to allow accessing files only to users that can access them?

fuser only reports users using open files, it doesn't mantain an history.

changing all the commands that can be used to read files is very hard and do not guarantees the files not to be accessed because is very simple to write a "cat" program, compile it and giving it a funny name.
0
 
LVL 1

Author Comment

by:carled
ID: 2009437
Problem is, the person in question is sort of an administrator and needs to know the root password so he could bypass everything anyway.  I know that fuser reports the opening of a file - that's what I want to capture with my script, but if I have a screen sitting in a 'vi' session then go to another and do 'fuser filename' I get no reported processes using that filename!  The point of creating pseudo-vi, cat & view is so that he would be unaware he was being monitored and therefore wouldn't try to create an alternate!
0
 
LVL 3

Accepted Solution

by:
mliberi earned 50 total points
ID: 2009438
fuser reports that the file is not in use because vi opens the file, loads it's content in memory and closes it. So the file remains in the "open" state for a little amount of time, too little for fuser.

I suggest to monitor the process table instead. The vi process remains active for a greater time.

Run a cycle like this:

while :   # forever loop
do
  ps -ef | grep yourfilename >>logfile
  sleep 10
done

This will reveal all the processes (with user name and time) that accessed "yourfilename"

If you want to monitor more than a file you can use egrep

Another useful information: each file has a "last accessed time" that get updated even if the file is accessed in read-only mode. You could monitor that information change to see "when" the file has been last accessed.

To get it use "ls -ul yourfilename"

Anyway restrict as much as possible the access authorities for the file, so that the list of "crackers" is as short as possible.
0
 
LVL 1

Author Comment

by:carled
ID: 2009439
Thanks mliberi, I used a combination of the two and I think I've go something going now.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question