Solved

Monitoring file access for security purposes (fuser?)

Posted on 1999-01-28
4
310 Views
Last Modified: 2010-05-18
We have gotten wind of a potential 'mole' within the company who (we think) is rooting around in everyone's home directories (including Uniplex/ascii documents) and we want to get evidence of this.  I was intending setting up a small script to continually monitor all files in a directory waiting for one to report it was being used by 'fuser' then cut the user part out of the response to show who was accessing the file and when.  Trouble is, 'fuser' doesn't seem to be triggered off on a text/uniplex file with any of 'vi', 'cat', or 'view' so the 'fuser' never shows up as the file being used... is there a better way to record the info I'm after - I'm unaware of any arguments on fuser apart from 'k' and 'u' and they're not going to help.  Would I be better off doing a pseudo-vi (and cat and view) that calls the real ones, yet records who, what and when?
0
Comment
Question by:carled
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:mliberi
ID: 2009436
Wouldn't be better to allow accessing files only to users that can access them?

fuser only reports users using open files, it doesn't mantain an history.

changing all the commands that can be used to read files is very hard and do not guarantees the files not to be accessed because is very simple to write a "cat" program, compile it and giving it a funny name.
0
 
LVL 1

Author Comment

by:carled
ID: 2009437
Problem is, the person in question is sort of an administrator and needs to know the root password so he could bypass everything anyway.  I know that fuser reports the opening of a file - that's what I want to capture with my script, but if I have a screen sitting in a 'vi' session then go to another and do 'fuser filename' I get no reported processes using that filename!  The point of creating pseudo-vi, cat & view is so that he would be unaware he was being monitored and therefore wouldn't try to create an alternate!
0
 
LVL 3

Accepted Solution

by:
mliberi earned 50 total points
ID: 2009438
fuser reports that the file is not in use because vi opens the file, loads it's content in memory and closes it. So the file remains in the "open" state for a little amount of time, too little for fuser.

I suggest to monitor the process table instead. The vi process remains active for a greater time.

Run a cycle like this:

while :   # forever loop
do
  ps -ef | grep yourfilename >>logfile
  sleep 10
done

This will reveal all the processes (with user name and time) that accessed "yourfilename"

If you want to monitor more than a file you can use egrep

Another useful information: each file has a "last accessed time" that get updated even if the file is accessed in read-only mode. You could monitor that information change to see "when" the file has been last accessed.

To get it use "ls -ul yourfilename"

Anyway restrict as much as possible the access authorities for the file, so that the list of "crackers" is as short as possible.
0
 
LVL 1

Author Comment

by:carled
ID: 2009439
Thanks mliberi, I used a combination of the two and I think I've go something going now.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
create user in TSM 7 590
AIX Server 10 79
AIX    Volume group Auto ON/OFF question 2 90
bash while loop reading input from data section in script 7 64
Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now