Solved

Monitoring file access for security purposes (fuser?)

Posted on 1999-01-28
4
317 Views
Last Modified: 2010-05-18
We have gotten wind of a potential 'mole' within the company who (we think) is rooting around in everyone's home directories (including Uniplex/ascii documents) and we want to get evidence of this.  I was intending setting up a small script to continually monitor all files in a directory waiting for one to report it was being used by 'fuser' then cut the user part out of the response to show who was accessing the file and when.  Trouble is, 'fuser' doesn't seem to be triggered off on a text/uniplex file with any of 'vi', 'cat', or 'view' so the 'fuser' never shows up as the file being used... is there a better way to record the info I'm after - I'm unaware of any arguments on fuser apart from 'k' and 'u' and they're not going to help.  Would I be better off doing a pseudo-vi (and cat and view) that calls the real ones, yet records who, what and when?
0
Comment
Question by:carled
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:mliberi
ID: 2009436
Wouldn't be better to allow accessing files only to users that can access them?

fuser only reports users using open files, it doesn't mantain an history.

changing all the commands that can be used to read files is very hard and do not guarantees the files not to be accessed because is very simple to write a "cat" program, compile it and giving it a funny name.
0
 
LVL 1

Author Comment

by:carled
ID: 2009437
Problem is, the person in question is sort of an administrator and needs to know the root password so he could bypass everything anyway.  I know that fuser reports the opening of a file - that's what I want to capture with my script, but if I have a screen sitting in a 'vi' session then go to another and do 'fuser filename' I get no reported processes using that filename!  The point of creating pseudo-vi, cat & view is so that he would be unaware he was being monitored and therefore wouldn't try to create an alternate!
0
 
LVL 3

Accepted Solution

by:
mliberi earned 50 total points
ID: 2009438
fuser reports that the file is not in use because vi opens the file, loads it's content in memory and closes it. So the file remains in the "open" state for a little amount of time, too little for fuser.

I suggest to monitor the process table instead. The vi process remains active for a greater time.

Run a cycle like this:

while :   # forever loop
do
  ps -ef | grep yourfilename >>logfile
  sleep 10
done

This will reveal all the processes (with user name and time) that accessed "yourfilename"

If you want to monitor more than a file you can use egrep

Another useful information: each file has a "last accessed time" that get updated even if the file is accessed in read-only mode. You could monitor that information change to see "when" the file has been last accessed.

To get it use "ls -ul yourfilename"

Anyway restrict as much as possible the access authorities for the file, so that the list of "crackers" is as short as possible.
0
 
LVL 1

Author Comment

by:carled
ID: 2009439
Thanks mliberi, I used a combination of the two and I think I've go something going now.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question