Re: How to tell what process accessed a file
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, 14 Feb 2004 at 01:31:52PM -0500, Wade Richards wrote:
> Hi,
>
> This isn't a major problem for me, but since it's related to auditing
> file access, I thought the security people would have an answer.
>
> Every once in a while I get a bunch of errors because some process tried
> to access my CDROM, triggering automount when there's no disk in the
> drive.
>
> I'd like to figure out what program is doing this. I've already spent a
> lot of time searching through my cron logs, to no avail.
>
> Is there any way to audit file access, so I can see (after the fact)
> which program was responsible for trying to view "/var/autofs/misc/cd"?
A few things.
1. You can see which file descriptors are currently open by running
lsof. This won't help you after the fact though.
2. I Believe if you compile your kernel with the GRSecurity Patch
(http://www.grsecurity.org) you can audit successful file opens (as one
of the kernel config options). WARNING: BE PREPARED FOR A HUGE LOG
FILE!!!!!
3. Myself, I audit every command that gets executed. The log has a week
rotation period. In a week the log usually becomes around 90 MB (This
is just a log saying what run, not what files were opened).
Good luck!
- --
Phillip Hofmeister
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFALneuS3Jybf3L5MQRAiSoAJ0YDmSSEcigR0ymK53zeWDMkbD0/ACfd5w6
D2rH/l1zgi1nQOwyXprVQWc=
=U7ap
-----END PGP SIGNATURE-----
Reply to: