[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 325
  • Last Modified:

Monitoring file access for security purposes (fuser?)

We have gotten wind of a potential 'mole' within the company who (we think) is rooting around in everyone's home directories (including Uniplex/ascii documents) and we want to get evidence of this.  I was intending setting up a small script to continually monitor all files in a directory waiting for one to report it was being used by 'fuser' then cut the user part out of the response to show who was accessing the file and when.  Trouble is, 'fuser' doesn't seem to be triggered off on a text/uniplex file with any of 'vi', 'cat', or 'view' so the 'fuser' never shows up as the file being used... is there a better way to record the info I'm after - I'm unaware of any arguments on fuser apart from 'k' and 'u' and they're not going to help.  Would I be better off doing a pseudo-vi (and cat and view) that calls the real ones, yet records who, what and when?
0
carled
Asked:
carled
  • 2
  • 2
1 Solution
 
mliberiCommented:
Wouldn't be better to allow accessing files only to users that can access them?

fuser only reports users using open files, it doesn't mantain an history.

changing all the commands that can be used to read files is very hard and do not guarantees the files not to be accessed because is very simple to write a "cat" program, compile it and giving it a funny name.
0
 
carledAuthor Commented:
Problem is, the person in question is sort of an administrator and needs to know the root password so he could bypass everything anyway.  I know that fuser reports the opening of a file - that's what I want to capture with my script, but if I have a screen sitting in a 'vi' session then go to another and do 'fuser filename' I get no reported processes using that filename!  The point of creating pseudo-vi, cat & view is so that he would be unaware he was being monitored and therefore wouldn't try to create an alternate!
0
 
mliberiCommented:
fuser reports that the file is not in use because vi opens the file, loads it's content in memory and closes it. So the file remains in the "open" state for a little amount of time, too little for fuser.

I suggest to monitor the process table instead. The vi process remains active for a greater time.

Run a cycle like this:

while :   # forever loop
do
  ps -ef | grep yourfilename >>logfile
  sleep 10
done

This will reveal all the processes (with user name and time) that accessed "yourfilename"

If you want to monitor more than a file you can use egrep

Another useful information: each file has a "last accessed time" that get updated even if the file is accessed in read-only mode. You could monitor that information change to see "when" the file has been last accessed.

To get it use "ls -ul yourfilename"

Anyway restrict as much as possible the access authorities for the file, so that the list of "crackers" is as short as possible.
0
 
carledAuthor Commented:
Thanks mliberi, I used a combination of the two and I think I've go something going now.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now