Lightweight File Access Logger

Configurare noua (How To)

Situatie

You want to track when someone or something opens a file (for debugging, auditing, or paranoia), but you don’t want to install or configure a full kernel-level auditing system like auditd.

Solutie

Solution Overview:

Use inotifywait in combination with a named pipe and a loop to passively log access to a file or directory in real-time, no root required.

Steps:

  1. Install inotify-tools:

sudo apt install inotify-tools

  1. Create a named pipe:

mkfifo /tmp/accesslog.pipe

  1. Set up the monitor (can be wrapped in a script):

inotifywait -m -e open /path/to/watch > /tmp/accesslog.pipe &

  1. Read and log entries with timestamps:

while read line; do
echo "$(date +"%Y-%m-%d %H:%M:%S") - $line" >> ~/access.log
done < /tmp/accesslog.pipe

You can even redirect this into logger to send it to syslog:

... | while read line; do logger "[filewatch] $line"; done

Use Case Examples:

  • Track who or what is opening SSH config files or credential files

  • Debug unexpected file accesses in crontabs or systemd jobs

  • Monitor changes on a shared NFS directory or USB mount.

Caveats:

  • This only logs the open event — not modifications

  • Will miss extremely fast events unless handled with care.

Tip solutie

Permanent

Voteaza

Up Down
(2 din 5 persoane apreciaza acest articol)
Share
Tweet
Share

Despre Autor

Leave A Comment?