- Linux file access monitoring
- 5 Answers 5
- Find the Process That is Using a File in Linux
- Commands to find the process
- fuser command
- Output
- Output
- Output
- lsof command
- Output
- Output
- Conclusion
- Using lsof to find who is using a file or socket
- Find who is using the network
- How find out which process is using a file in Linux?
Linux file access monitoring
Is there any way in unix to find out who accessed certain file in last 1 week? It may be user or some script ftp it to some other place. Can I get a list of user name who accessed certain file? How can I find out who is accessing particular file??
5 Answers 5
Unless you have extremely unusual logging policies in place, who accessed what file is not logged (that would be a huge amount of information). You can find out who was logged in at what time in the system logs; the last command gives you login history, and other logs such as /var/log/auth.log will tell you how users authenticated and from where they logged in (which terminal, or which host if remotely).
The date at which a file was last read is called its access time, or atime for short. All unix filesystems can store it, but many systems don’t record it, because it has a (usually small) performance penalty. ls -ltu /path/to/file or stat /path/to/file shows the file’s access time.
If a user accessed the file and wasn’t trying to hide his tracks, his shell history (e.g. ~/.bash_history ) may have clues.
To find out what or who has a file open now, use lsof /path/to/file .
To log what happens to a file in the future, there are a few ways:
- Use inotifywait. inotifywait -me access /path/to will print a line /path/to/ ACCESS file when someone reads file . This interface won’t tell you who accessed the file; you can call lsof /path/to/file as soon as this line appears, but there’s a race condition (the access may be over by the time lsof gets going).
- LoggedFS is a stackable filesystem that provides a view of a filesystem tree, and can perform fancier logging of all accesses through that view. To configure it, see LoggedFS configuration file syntax.
- You can use Linux’s audit subsystem to log a large number of things, including filesystem accesses. Make sure the auditd daemon is started, then configure what you want to log with auditctl . Each logged operation is recorded in /var/log/audit/audit.log (on typical distributions). To start watching a particular file:
Find the Process That is Using a File in Linux
There may be a situation where, despite the fact that no one is attempting to access the share to your knowledge, you are unable to unmount it. This is typically seen while mounting a share. The potential error that you could experience is «the file is busy», or we may occasionally see the notice «the file is busy» when attempting to access a file. This indicates that a process is active on the system that is using the file and keeping it open for reading or writing. Sometimes, when this occurs, we’ll want to figure out which process is using the file.
The process that uses a file will be identified in this tutorial.
Note − Linux commands are case-sensitive.
Commands to find the process
There are a few commands that can assist us in locating processes that work with files, so we’ll start there. These commands collect information from the Linux kernel since it manages programs and file systems, among other things.
fuser command
A Linux command called fuser can be used to determine which process is using a specific file, directory, or socket. Additionally, it offers details on the sort of access and the user who is in charge of operating that process.
fuser can also be used in verbose mode by using the -v option. To generate additional output so the user can see what fuser is doing, use the verbose option. Run fuser with the -v option,
Output
USER PID ACCESS COMMAND /run/sripts.txt: student 64589 ..c.. less
The -k flag in the fuser command can also be used to stop or kill processes from running on particular ports.
Output
To reverify whether the process has been killed or not, we will again lookout for the “scripts.txt” file,
Output
none of the processes are using scripts.txt
Again, I’ve encountered instances, where some deleted processes continue to lock files until their parent process or an application connected to that process, has finished running. You might need to use extra options, such as those in the example below, to view certain files.
lsof command
The lsof command stands for «list open files,» but it can serve other purposes as well. It’s a frequent misconception that everything in Linux is a file. That’s true in many ways, therefore a tool that identifies open files is actually rather helpful.
To find out who is utilising any files on a file system, use the lsof command. Running the lsof command on a Linux filesystem will produce the following result, which shows the owner and process details for any processes utilising the file.
Output
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 student 0r CHR 1,3 0t0 6 /dev/run/files sh 1501 student 0r CHR 1,3 0t0 6 /dev/run/files sh 1501 student 1w CHR 1,3 0t0 6 /dev/run/files dbus-daem 1530 student 0u CHR 1,3 0t0 6 /dev/run/files Xfce4-seb 1603 student 0r CHR 1,3 0t0 6 /dev/run/files xfce4-ses 1603 student 1w CHR 1,3 0t0 6 /dev/run/files at-spi-b 1604 student 0r CHR 1,3 0t 6 /dev/run/files dbus-daem 1609 student 0u CHR 1,3 0t0 6 /dev/run/files
Run the following command, to list user-specific opened files
Output
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 student cwd DIR 8,3 4096 2 / systemd 1480 student rtd DIR 8,3 4096 2 / systemd 1480 student txt REG 8,3 1595792 3147496
Conclusion
In this tutorial, we learned some examples of how to monitor in-use ports and directories on a Linux system using the fuser and lsof commands. These commands can be especially helpful if you’re attempting to identify any unknown programs that might be active on your system. I hope you find these examples of the commands useful.
Using lsof to find who is using a file or socket
lsof stands for List Open Files. It can help us find which process is using a file at a given point in time. The reason lsof is so useful in Unix/Linux systems is that sockets and devices are treated the same way as files (Pretty much everything is considered a file in Unix/Linux).
Running lsof without any arguments will list all open files in the system. If you have a lot of processes working with a lot of files, prepare to wait. The output looks somethins like this:
$ sudo lsof COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 253,1 4096 2 / systemd 1 root rtd DIR 253,1 4096 2 / systemd 1 root txt REG 253,1 1577264 5374284 /lib/systemd/systemd systemd 1 root mem REG 253,1 18976 5375835 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 .
This command works better if executed by root or using sudo . If you execute as any other user, you might only be able to see files owned by that user.
You can see a few things in the output:
- COMMAND — The unix command associated with the process. This field might be truncated
- PID — ID of the process using the file
- TID — ID of the thread using the file
- USER — User that owns the process
- FD — Usually this is a number representing a file a descriptor, but there are also some special values (they can be found in man lsof ). A file descriptor can be followed by r , w or u to represent read , write and read-write modes
- TYPE — Because pretty much everything is considered a file, lsof will list all kinds of things. This field helps identify exactly what is this thing (file, directory, socket, etc.)
- DEVICE — Identifier for the device
- SIZE/OFF — Depending on the type of file, this will be the size of the file or offset
- NODE — This varies depending on the type of file, but it can be an inode number for a regular file
- NAME — Name of the file, device, stream, etc
Find who is using the network
The most common use I have for lsof is finding which process is using a port I’m trying to use. I wrote an article a while ago explaining how to do this with ss (netstat), but it’s good to know how to do this with lsof too, in case ss is not available in the machine.
To see all the network connections we can use:
To find who is using port 4000, we can use:
How find out which process is using a file in Linux?
You can use the fuser command, which is part of the psmisc package, like:
You will receive a list of processes using the file.
You can use different flags with it, in order to receive a more detailed output.
You can find more info in the fuser’s Wikipedia article, or in the man pages.
@khris, might be that not all fuser implementations are the same, or works the same way. Even if -i is defined in POSIX, the particular implementation you are using does not necessarily has the same options as the ones described in the Wikipedia article. For example, I’m using AIX right now, and the fuser available in this system does not have the -i option either.
For some reason, neither fuser nor lsof were working for me on a virtualbox guest. This answer saved me.
@jim’s answer is correct — fuser is what you want.
Additionally (or alternately), you can use lsof to get more information including the username, in case you need permission (without having to run an additional command) to kill the process. (THough of course, if killing the process is what you want, fuser can do that with its -k option. You can have fuser use other signals with the -s option — check the man page for details.)
For example, with a tail -F /etc/passwd running in one window:
ghoti@pc:~$ lsof | grep passwd tail 12470 ghoti 3r REG 251,0 2037 51515911 /etc/passwd
Note that you can also use lsof to find out what processes are using particular sockets. An excellent tool to have in your arsenal.