- How can I log file access from users?
- 3 Answers 3
- Using iwatch
- How to Monitor Linux File Access Using Auditd
- Auditd Features
- Install Auditd (Linux Auditing System)
- Auditd (Linux Auditing System) Usage
- We are now ready to configure and manage auditd for tracking security-related information on our Linux systems.
- Defining Audit Rules in Linux
- Persistent Audit Rules in Linux
- Searching Audit Logs in Linux
- Creating Audit Reports in Linux
- Where are Apache file access logs stored?
- 4 Answers 4
How can I log file access from users?
I have to give someone access to my computer, but I want to know afterwards which files he accessed. Can I create a log file for that? Is there an existing program for that? I know how to track processes but I just want the files accessed by one user.
3 Answers 3
Using iwatch
iwatch o_O is a realtime filesystem monitoring program using inotify and a working local mail service
For a better obscurity you should change the mail address and start the deamon as root, or something else … 🙂
sudo apt-get install iwatch
iwatch -d -f iwatch.xml -p ~/iwatch.pid
Some interesting events -e event [,event[. ]] Specify a list of events you want to watch. Following are the possible events you can use: access : file was modified modify : file was modified attrib : file attributes changed close_write : file closed, after being opened in writeable mode close_nowrite : file closed, after being opened in read-only mode close : file closed, regardless of read/write mode open : file was opened moved_from : File was moved away from. moved_to : File was moved to. move : a file/dir within watched directory was moved create : a file was created within watched director delete : a file was deleted within watched directory delete_self : the watched file was deleted unmount : file system on which watched file exists was unmounted q_overflow : Event queued overflowed ignored : File was ignored isdir : event occurred against dir oneshot : only send event once all_events : All events default : close_write, create, delete, move, delete_self and move_self.
How to Monitor Linux File Access Using Auditd
Successfully monitoring Linux file access is a very important milestone for users or Linux administrators confined in a shared or public network setting. Linux file access monitoring helps us answer questions like Who has had access to this file within the last week? Can I get a username list of all users accessing file x? Can I know when file y is being accessed?
The set logging policies on your Linux operating system distribution should give us timely statistics regarding the system user and the period in which queried file(s) were accessed.
Auditd or Audit Daemon emulates a Linux Auditing System solely focused on the userspace component. Under the Linux operating system spectrum, anything that is labeled a daemon implies that it is a background running service/application. Therefore, Auditd comfortably runs as a background service while collecting and writing audit-associated log files.
Auditd Features
By installing and using Auditd on your Linux operating system distribution, you will be able to meet/implement the following audit-related functionalities:
- Log of incoming and outgoing, from and to, system information.
- Log of authenticated user events e.g. ssh.
- Log of audit configuration files changes.
- Log of timestamp and even information e.g. event type and outcome.
- Log of sensitive files or database changes e.g. /etc/passwd file’s passwords.
- Log of audit log files access attempt.
- Log of triggered events and users responsible for it.
Install Auditd (Linux Auditing System)
Before we look at the installation steps needed to have auditd up and running on your Linux operating system distribution, make sure you meet the following requirements/prerequisites:
- You have sudoer/root user privileges on your Linux system.
- You are comfortable with using the Linux command-line environment.
Reference the following auditd installation commands in regards to the Linux OS distribution you are using:
$ sudo apt install audit [On Debian, Ubuntu and Mint] $ sudo yum install audit [On RHEL/CentOS/Fedora and Rocky Linux/AlmaLinux] $ sudo emerge -a sys-process/audit [On Gentoo Linux] $ sudo pacman -S audit [On Arch Linux] $ sudo zypper install audit [On OpenSUSE]
Auditd (Linux Auditing System) Usage
We are now ready to configure and manage auditd for tracking security-related information on our Linux systems.
The file path /etc/audit/auditd.conf points to the main audit configuration file. Accessing the auditd.conf file requires sudoer/root user privileges.
$ sudo nano /etc/audit/auditd.conf
To start, enable and verify the status of auditd, we’ll use the service command in place of the systemctl command for user ID (UID) accuracy.
$ sudo service auditd start $ sudo systemctl enable auditd $ sudo systemctl status auditd
Defining Audit Rules in Linux
We’ll need to use the auditctl tool to add system call-related auditing rules. For instance, we can define a watch rule which monitors file access types like read, write, execute, or even check for attribute changes.
The watch rules syntax is as follows:
# auditctl -w path_to_target_file -p permissions -k key_name
Example 1: Audit on User Creation Actions
Watch (-w) the /etc/passwd file for changes associated with a write (w) and attribute (a) as set permissions (-p) . Key name (-k) helps us uniquely identify the created watch rule.
$ sudo auditctl -w /etc/passwd -p wa -k user-modify
Stored logs related to auditd can be found in the file /var/log/audit/audit.log.
Let us create a Linux user to see if auditd will log the changes.
Time to check the auditd log file:
$ sudo cat /var/log/audit/audit.log | grep user-modify
The above output has some rich information like the type of command executed if the command was executed successfully, user id (uid), group id (gid), and process id (pid) used in the creation of new_user.
Example 2: Audit User actions on Directory X
The below command monitors read, write, execute, and attribute (rwxa) permissions on desktop files.
$ sudo auditctl -w /home/dnyce/Desktop -p rwxa -k desktop-modified-files
Perform some read, write, execute, and attribute (rwxa) actions on your desktop environment.
and check if the auditd updated its log file.
Persistent Audit Rules in Linux
These are watch rules (without auditctl) that persist even after the system reboot. For instance, to make the audit on user creation actions persistent, we’ll open the following file.
$ sudo nano /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k user-modify
Finally, reload the audit daemon.
$ sudo service auditd reload
Confirm the audit rule addition by listing it:
Searching Audit Logs in Linux
We can search audit logs by pointing to their key names:
$ ausearch -i -k desktop-modified-files
Creating Audit Reports in Linux
The generated reports can point to executable (-x) events.
We now understand how easy it is to monitor Linux File Access actions both temporarily and persistently via the Auditd utility.
Where are Apache file access logs stored?
Does anyone know where file access logs are stored, so I can run a tail -f command in order to see who is accessing a particular file. I have XAMPP, which is an Apache server installed on my machine, which automatically logs the accesses. It is stored in my installation folder.
On what distribution, or with what hosting provider? Logs are typically under /var/log , but some systems have them elsewhere.
4 Answers 4
Ultimately, this depends on your Apache configuration. Look for CustomLog directives in your Apache configuration, see the manual for examples.
A typical location for all log files is /var/log and subdirectories. Try /var/log/apache/access.log or /var/log/apache2/access.log or /var/log/httpd/access.log . If the logs aren’t there, try running locate access.log access_log .
If you can’t find the log with Gilles’s answer, there are a couple more things you can try.
- Look in /var/log/httpd .
- Run sudo locate access.log as well as sudo locate access_log . The logs on my system were not visible except to root, and the file was called access_log instead of access.log .
Apache server records all incoming requests and all requests processed to a log file. The format of the access log is highly configurable. The location and content of the access log are controlled by the CustomLog directive. Default apache access log file location:
RHEL / Red Hat / CentOS / Fedora Linux Apache access file location –
Debian / Ubuntu Linux Apache access log file location –
FreeBSD Apache access log file location –
To find exact apache log file location, you can use grep command:
# grep CustomLog /usr/local/etc/apache22/httpd.conf # grep CustomLog /etc/apache2/apache2.conf # grep CustomLog /etc/httpd/conf/httpd.conf
# a CustomLog directive (see below). #CustomLog "/var/log/httpd-access.log" common CustomLog "/var/log/httpd-access.log" combined