On 8/27/07, Neil Parker <[EMAIL PROTECTED]> wrote: > Jim K wrote, > >Just a thought, is there any command that would show what program had > >last accessed a file? > > No. The closest you can get is probably to run your suspicious software > under the control of strace or something similar. This will report all > system calls made by the process, including attempts to open files. (I > believe this was exactly how skype's suspicious behavior was discovered.) > > > If you have kernel 2.6.13 or later, there is a set of system calls known > collectively as "inotify", which provide a way for programs to monitor > files and receive notification whenever somebody does something to a > monitored file (such as try to read from it). This could be used to write > a program to raise an alarm whenever something reads from /etc/passwd. > > Unfortunately, my system (Slackware 11, which shipped with a 2.4 kernel) > includes no such software, nor any easy way to write such software (the > necessary header files and libc support are missing). Newer distros > might not be crippled like this...if anybody out there knows of a decent > user interface for inotify, this would be an ideal occasion to mention it. >
There is a Debian package inotify-tools which contains a program called inotifywatch which is a user space tool for accessing the inotify system calls. inotifywatch will record all file events for the files you specify during the period you specify. It does not however capture which process accessed the file. _______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
