如何记录用户的文件访问？

Question 1

使用`iwatch`

iwatch 哦哦是使用 inotify 的实时文件系统监控程序 以及正常运行的本地邮件服务

为了更好地隐藏，您应该更改邮件地址并以 root 身份启动守护进程，或者以其他方式启动...：）

sudo apt-get install iwatch

创建一个名为的配置文件iwatch.xml

<?xml version="1.0" ?>
<!DOCTYPE 配置系统“/etc/iwatch/iwatch.dtd”>
<配置>
        <guard email="用户名@localhost" name="iWatch"/>
        <监视列表>
                <title>标题</title>
                <contactpoint email="用户名@localhost" name="foo bar"/>
                <path type="recursive" events="default">/home/用户名</path>
        </监视列表>
</配置>

启动守护进程
```
iwatch -d -f iwatch.xml -p ~/iwatch.pid
```
-d将应用程序作为守护进程执行。如果没有此选项，iWatch 将在前台运行。

-f指定备用配置文件。默认为/etc/iwatch/iwatch.xml

-p指定备用 pid 文件。默认值：/var/run/iwatch.pid
查看本地邮件;)

Some interesting events

-e event [,event[,..]]
   Specify a list of events you want to watch. Following are the possible events you
   can use:
access          : file was modified
modify          : file was modified
attrib          : file attributes changed
close_write     : file closed, after being opened in writeable mode
close_nowrite   : file closed, after being opened in read-only mode
close           : file closed, regardless of read/write mode
open            : file was opened
moved_from      : File was moved away from.
moved_to        : File was moved to.
move            : a file/dir within watched directory was moved
create          : a file was created within watched director
delete          : a file was deleted within watched directory
delete_self     : the watched file was deleted
unmount         : file system on which watched file exists was unmounted
q_overflow      : Event queued overflowed
ignored         : File was ignored
isdir           : event occurred against dir
oneshot         : only send event once
all_events      : All events
default         : close_write, create, delete, move, delete_self and move_self.

更多信息这里

Answer

使用`iwatch`

iwatch 哦哦是使用 inotify 的实时文件系统监控程序 以及正常运行的本地邮件服务

为了更好地隐藏，您应该更改邮件地址并以 root 身份启动守护进程，或者以其他方式启动...：）

sudo apt-get install iwatch

创建一个名为的配置文件iwatch.xml

<?xml version="1.0" ?>
<!DOCTYPE 配置系统“/etc/iwatch/iwatch.dtd”>
<配置>
        <guard email="用户名@localhost" name="iWatch"/>
        <监视列表>
                <title>标题</title>
                <contactpoint email="用户名@localhost" name="foo bar"/>
                <path type="recursive" events="default">/home/用户名</path>
        </监视列表>
</配置>

启动守护进程
```
iwatch -d -f iwatch.xml -p ~/iwatch.pid
```
-d将应用程序作为守护进程执行。如果没有此选项，iWatch 将在前台运行。

-f指定备用配置文件。默认为/etc/iwatch/iwatch.xml

-p指定备用 pid 文件。默认值：/var/run/iwatch.pid
查看本地邮件;)

Some interesting events

-e event [,event[,..]]
   Specify a list of events you want to watch. Following are the possible events you
   can use:
access          : file was modified
modify          : file was modified
attrib          : file attributes changed
close_write     : file closed, after being opened in writeable mode
close_nowrite   : file closed, after being opened in read-only mode
close           : file closed, regardless of read/write mode
open            : file was opened
moved_from      : File was moved away from.
moved_to        : File was moved to.
move            : a file/dir within watched directory was moved
create          : a file was created within watched director
delete          : a file was deleted within watched directory
delete_self     : the watched file was deleted
unmount         : file system on which watched file exists was unmounted
q_overflow      : Event queued overflowed
ignored         : File was ignored
isdir           : event occurred against dir
oneshot         : only send event once
all_events      : All events
default         : close_write, create, delete, move, delete_self and move_self.

更多信息这里

Question 2

不要重新发明轮子——否则会很糟糕。

使用审计。跟踪谁访问了哪些文件是确切地审计的目的是什么。

一个很好的入门链接是这里。

审计目标

通过使用强大的审计框架，系统可以跟踪多种事件类型来监控和审计系统。示例包括：

审计文件的访问和修改

查看谁更改了特定文件

检测未经授权的更改

监控系统调用和函数

检测进程崩溃等异常情况

设置绊线以检测入侵

记录各个用户使用的命令

Answer

不要重新发明轮子——否则会很糟糕。

使用审计。跟踪谁访问了哪些文件是确切地审计的目的是什么。

一个很好的入门链接是这里。

审计目标

通过使用强大的审计框架，系统可以跟踪多种事件类型来监控和审计系统。示例包括：

审计文件的访问和修改

查看谁更改了特定文件

检测未经授权的更改

监控系统调用和函数

检测进程崩溃等异常情况

设置绊线以检测入侵

记录各个用户使用的命令

Question 3

使用`find`

以下解决方案不适用于已删除的文件，如果您有不是在你的 fstab 中设置noatime，例如：

defaults,noatime

find恢复帐户后使用。

find ~ -atime -1

意思是，访问时间少于 1 天。

或者组合：

find ~ -atime 1 -atime -2

表示 1-2 天前

从man find

-atime n
      File  was  last  accessed n*24 hours ago.  When find figures
      out how many 24-hour periods ago the file was last accessed,
      any fractional part is ignored, so to match -atime +1, a file
      has to have been accessed at least two days ago.

-amin n
      File was last accessed n minutes ago.

Answer

使用`find`

以下解决方案不适用于已删除的文件，如果您有不是在你的 fstab 中设置noatime，例如：

defaults,noatime

find恢复帐户后使用。

find ~ -atime -1

意思是，访问时间少于 1 天。

或者组合：

find ~ -atime 1 -atime -2

表示 1-2 天前

从man find

-atime n
      File  was  last  accessed n*24 hours ago.  When find figures
      out how many 24-hour periods ago the file was last accessed,
      any fractional part is ignored, so to match -atime +1, a file
      has to have been accessed at least two days ago.

-amin n
      File was last accessed n minutes ago.

如何记录用户的文件访问？

答案1

使用`iwatch`

答案2

答案3

使用`find`

相关内容

答案1

使用iwatch

答案2

答案3

使用find

相关内容

使用`iwatch`

使用`find`