File Accessed Alarm ??

varungupta · September 17, 2007, 9:49am

Hey,

I want to ask a simple Question....

How would I be able to come to know that files/directoires in a Parent directory has been accessed (means contents of the file has been just viewed) by the user(s) in a group ? and mail the name(s) of those files/directories which has been accessed recently in past 1 or 2 minutes with the name of the user who viewed the files/direcotries.

How will I write script for this ??

Please answer this QUESTION asap as I am after this problem for past 15 days and I did't get any perfect answer.

Please Help !!
Thanks !!

SanjayLinux · September 18, 2007, 4:57am

Hey Varun,
Hope you guys are doing Gr8 !!
Once again I dun have any *NIX box with me. So why Just giving one logic by which you will get your answer.
-------------------------------------------------------------
#!/bin/bash

## List all the files which one accessed since last 1 min #####
for file_dir in `find <parent-dir> -atime -1`

do
### Find out the PID for that files which one been accessed
pid=`fuser -f $file_dir`

### Find out the owner/user name for that Process
### Replace the $access_user_filed with the filed no from the ps -ef
### command
user=`ps -ef | grep $pid | awk { print $access_user_filed }`
echo " $file_dir access by the $user " >> File_Access_List "
mail -s " File Access List " user@yourdomain.com < File_Access_List
done

varungupta · September 18, 2007, 9:29am

Hey,

Thanks buddy...I'll come back to you with the results of your post.
It looks fine !!

varungupta · September 18, 2007, 9:52am

Hey,
please clarify my doubt..
What is $access_user_filed , used in the following command ?user=`ps -ef | grep $pid | awk { print $access_user_filed }`

In ps -ef we have following columns..
UID PID PPID C STIME TTY TIME CMD
Are you talking about UID or anything else ??

SanjayLinux · September 18, 2007, 12:51pm

Sorry It is my typo.

$access_user_filed is actuly the UID(user id ) Filed no from the out put of ps -ef command

~~Thanks~~~

varungupta · September 27, 2007, 6:33am

NO probs, I got that !!
Thnks !!

varungupta · September 27, 2007, 6:59am

Hey ,

When I run the script it gives me following error :

AccessLogMonitor_script[11]: 0403-057 Syntax error at line 23 : `"' is not matched.
And my script is, as per your suggestions :
---------------------------------------------------------------------
#SCRIPT TO CHECK WHO HAS ACCESSED THE LOG/FILE IN PAST 'N' MINUTES, AND MAIL ACCORDINGLY.

MYPATH="/clocal/mqbrkrs/user/mqsiadm/sanjay/"
MAIL_RECIPIENTS="abc@xyz.com"
Subject="File accessed in last few minutes are ::"
>tempmail.txt
>tempfind.txt

## List all the files which one accessed since last 1 min #####

for file_dir in `find $MYPATH -amin -1`
do
### Find out the PID for that files which one been accessed
pid = `fuser -f $file_dir`

### Find out the owner/user name for that Process
### Replace the $access_user_filed with the filed no from the ps -ef
### command
user = `ps -ef | grep $pid | awk { print $1 }`
echo " $file_dir access by the $user " >> tempmail.txt "
done

cat tempmail.txt | mailx -s "$Subject" "$MAIL_RECIPIENTS"
---------------------------------------------------------------------

Suggest me !!
Thanks !!

ghostdog74 · September 27, 2007, 7:24am

if you are on linux, you can turn on auditing using auditd. commands like auditctl, ausearch,aureport may be able to help you. if you are on solaris, you can turn on BSM.

varungupta · September 27, 2007, 7:45am

Hey,

I am using AIX5.2.
Do you have any idea, that I could use commands given by you, in AIX5.2.

I dont. find the manuals for the commands given by use, i think i can't use those commands.

ghostdog74 · September 27, 2007, 9:57am

I am not on AIX, but a search produce this. you might want to take a look. Some ppl here are on AIX(aigles?) , so hope they can provide you some insights...

varungupta · September 29, 2007, 6:27am

varungupta:

Hey ,

When I run the script it gives me following error :

AccessLogMonitor_script[11]: 0403-057 Syntax error at line 23 : `"' is not matched.
And my script is, as per your suggestions :
---------------------------------------------------------------------
#SCRIPT TO CHECK WHO HAS ACCESSED THE LOG/FILE IN PAST 'N' MINUTES, AND MAIL ACCORDINGLY.

MYPATH="/clocal/mqbrkrs/user/mqsiadm/sanjay/"
MAIL_RECIPIENTS="abc@xyz.com"
Subject="File accessed in last few minutes are ::"
>tempmail.txt
>tempfind.txt

## List all the files which one accessed since last 1 min #####

for file_dir in `find $MYPATH -amin -1`
do
### Find out the PID for that files which one been accessed
pid = `fuser -f $file_dir`

### Find out the owner/user name for that Process
### Replace the $access_user_filed with the filed no from the ps -ef
### command
user = `ps -ef | grep $pid | awk { print $1 }`
echo " $file_dir access by the $user " >> tempmail.txt "
done

cat tempmail.txt | mailx -s "$Subject" "$MAIL_RECIPIENTS"
---------------------------------------------------------------------

Suggest me !!
Thanks !!

Any help, I would appriciate !!

Juha · September 29, 2007, 9:12pm

### Find out the owner/user name for that Process
### Replace the $access_user_filed with the filed no from the ps -ef
### command
user = `ps -ef | grep $pid | awk '{ print $1 }'` (I think you need the single quotes here?)
echo " $file_dir access by the $user " >> tempmail.txt " (here you have 3 " characters)
done

porter · September 29, 2007, 9:40pm

fuser only tells you which process is using a file at that moment. It tells you nothing about access between invocations of fuser.

varungupta · October 1, 2007, 6:37am

I have removed last double quote that was used in echo command. Thats fine.

Now when I add single quotes in awk, as you mentioned, then it gives error on grep command.

AccessLogMonitor_script[14]: pid: not found.
Usage: grep [-r] [-R] [-H] [-L] [-E|-F] [-c|-l|-q] [-insvxbhwy] [-p[parasep]] -e pattern_list...
[-f pattern_file...] [file...]
Usage: grep [-r] [-R] [-H] [-L] [-E|-F] [-c|-l|-q] [-insvxbhwy] [-p[parasep]] [-e pattern_list...]
-f pattern_file... [file...]
Usage: grep [-r] [-R] [-H] [-L] [-E|-F] [-c|-l|-q] [-insvxbhwy] [-p[parasep]] pattern_list [file...]
AccessLogMonitor_script[19]: user: not found.

How to solve this ?? Please help !!

varungupta · October 12, 2007, 2:58am

#SCRIPT TO CHECK WHO HAS ACCESSED THE LOG/FILE IN PAST 'N' MINUTES, AND MAIL ACCORDINGLY.

MYPATH="/clocal/mqbrkrs/user/sanjay/"
MAIL_RECIPIENTS="abc@def.com"
Subject="File accessed in last few minutes are ::"
>tempmail.txt
>tempfind.txt

## List all the files which one accessed since last 1 min #####

for file_dir in `find $MYPATH -amin -1`
do
### Find out the PID for that files which one been accessed
pids = ''
#fuser -f "$file_dir" > tempfind.txt
#pid=$(tr -dc "[:digit:]\n" < tempfind.txt)
pids=`fuser -f "$file_dir" | tr -dc "[:digit:]"`
echo "$pids"

### Find out the owner/user name for that Process
### Replace the $access_user_filed with the filed no from the ps -ef
### command
user = `ps -ef | grep -w "$pid" | awk '{ print $1 }'`
echo " $file_dir access by the $user " >> tempmail.txt
done

cat tempmail.txt | mailx -s "$Subject" "$MAIL_RECIPIENTS"

Prblem is, I am not getting o/p in tempmail.txt file.
Please guide me on this !!

Thanks in advance !!

geeko · October 15, 2007, 12:58am

i tried the above all scripts, the users who has accessed the files is not displaying in the mail which i recieve,

thanks

blowtorch · October 15, 2007, 4:14am

All the scripts are using fuser, which will send you an alert only if the script runs when the user is accessing the file. As porter has already mentioned, it will give no details for access in the interval between script invocations. Suggest checking out the link that ghostdog74 has posted.