Re: How to tell what process accessed a file
what package and deamon does the audit of every file executed?
Phillip Hofmeister wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, 14 Feb 2004 at 01:31:52PM -0500, Wade Richards wrote:
This isn't a major problem for me, but since it's related to auditing
file access, I thought the security people would have an answer.
Every once in a while I get a bunch of errors because some process tried
to access my CDROM, triggering automount when there's no disk in the
I'd like to figure out what program is doing this. I've already spent a
lot of time searching through my cron logs, to no avail.
Is there any way to audit file access, so I can see (after the fact)
which program was responsible for trying to view "/var/autofs/misc/cd"?
A few things.
1. You can see which file descriptors are currently open by running
lsof. This won't help you after the fact though.
2. I Believe if you compile your kernel with the GRSecurity Patch
(http://www.grsecurity.org) you can audit successful file opens (as one
of the kernel config options). WARNING: BE PREPARED FOR A HUGE LOG
3. Myself, I audit every command that gets executed. The log has a week
rotation period. In a week the log usually becomes around 90 MB (This
is just a log saying what run, not what files were opened).
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
-----END PGP SIGNATURE-----