PDA

View Full Version : [all variants] Filesystem Audit... how to monitor what files are read in a given directory?

niiiick
June 26th, 2008, 04:30 PM
Hi guys,

so i want to run some kind of script or app that will log all read functions of all files in a given directory.

i've come across inotify and auditd (i think that's what it was called, but something like that) but as far as i can tell inotify doesn't log file reads, and auditd can't monitor whole directories for file reads.

can anyone help?

thanks,
nick
brian_p
June 26th, 2008, 07:40 PM
Hi guys,

so i want to run some kind of script or app that will log all read functions of all files in a given directory.

i've come across inotify and auditd (i think that's what it was called, but something like that) but as far as i can tell inotify doesn't log file reads, and auditd can't monitor whole directories for file reads.

Has tripwire anything to offer you?
cdenley
June 27th, 2008, 08:48 AM
Isn't this what you want?

inotifywait -e OPEN -m /path/to/mydir>/path/to/my.log


Or did you want it to be recursive?

inotifywait -r -e OPEN -m /path/to/mydir>/path/to/my.log
niiiick
June 27th, 2008, 08:56 PM
tried tripwire... was a bit overkill...

the inotify thing worked wonders. thanks a million.