Solved

Monitoring file access for security purposes (fuser?)

Posted on 1999-01-28
4
308 Views
Last Modified: 2010-05-18
We have gotten wind of a potential 'mole' within the company who (we think) is rooting around in everyone's home directories (including Uniplex/ascii documents) and we want to get evidence of this.  I was intending setting up a small script to continually monitor all files in a directory waiting for one to report it was being used by 'fuser' then cut the user part out of the response to show who was accessing the file and when.  Trouble is, 'fuser' doesn't seem to be triggered off on a text/uniplex file with any of 'vi', 'cat', or 'view' so the 'fuser' never shows up as the file being used... is there a better way to record the info I'm after - I'm unaware of any arguments on fuser apart from 'k' and 'u' and they're not going to help.  Would I be better off doing a pseudo-vi (and cat and view) that calls the real ones, yet records who, what and when?
0
Comment
Question by:carled
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:mliberi
ID: 2009436
Wouldn't be better to allow accessing files only to users that can access them?

fuser only reports users using open files, it doesn't mantain an history.

changing all the commands that can be used to read files is very hard and do not guarantees the files not to be accessed because is very simple to write a "cat" program, compile it and giving it a funny name.
0
 
LVL 1

Author Comment

by:carled
ID: 2009437
Problem is, the person in question is sort of an administrator and needs to know the root password so he could bypass everything anyway.  I know that fuser reports the opening of a file - that's what I want to capture with my script, but if I have a screen sitting in a 'vi' session then go to another and do 'fuser filename' I get no reported processes using that filename!  The point of creating pseudo-vi, cat & view is so that he would be unaware he was being monitored and therefore wouldn't try to create an alternate!
0
 
LVL 3

Accepted Solution

by:
mliberi earned 50 total points
ID: 2009438
fuser reports that the file is not in use because vi opens the file, loads it's content in memory and closes it. So the file remains in the "open" state for a little amount of time, too little for fuser.

I suggest to monitor the process table instead. The vi process remains active for a greater time.

Run a cycle like this:

while :   # forever loop
do
  ps -ef | grep yourfilename >>logfile
  sleep 10
done

This will reveal all the processes (with user name and time) that accessed "yourfilename"

If you want to monitor more than a file you can use egrep

Another useful information: each file has a "last accessed time" that get updated even if the file is accessed in read-only mode. You could monitor that information change to see "when" the file has been last accessed.

To get it use "ls -ul yourfilename"

Anyway restrict as much as possible the access authorities for the file, so that the list of "crackers" is as short as possible.
0
 
LVL 1

Author Comment

by:carled
ID: 2009439
Thanks mliberi, I used a combination of the two and I think I've go something going now.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now