The Palos Publishing Company

Categories We Write About

Track file access history

Written by

Bernardo Palos

in

To track file access history on a system, the method depends on the operating system being used. Below are solutions for different environments:

1. Windows

Using Windows Event Viewer:

  1. Enable Auditing:

    • Open Local Security Policy (Run: secpol.msc).

    • Navigate to: Local Policies > Audit Policy.

    • Enable Audit object access.

  2. Set Audit on Specific Files/Folders:

    • Right-click the file/folder > Properties > Security tab > Advanced.

    • Go to Auditing tab > Add > select a user or group > configure access types (e.g., Read, Write).

    • Apply settings.

  3. View Logs:

    • Open Event Viewer (Run: eventvwr.msc).

    • Go to: Windows Logs > Security.

    • Look for Event IDs like 4663 (An attempt was made to access an object).

2. Linux

Using Auditd (Linux Auditing System):

  1. Install auditd:

    bash
    sudo apt install auditd -y   # Debian/Ubuntu
sudo yum install audit -y    # CentOS/RHEL

  2. Add a Watch:

    bash
    sudo auditctl -w /path/to/file -p rwxa -k file_access

  3. Check Logs:

    bash
    sudo ausearch -k file_access

  4. View Real-time Logs:

    bash
    sudo tail -f /var/log/audit/audit.log

3. macOS

Using fs_usage or opensnoop:

  • Real-time file access monitor:

    bash
    sudo fs_usage -w | grep /path/to/file

  • Using DTrace with opensnoop:

    bash
    sudo opensnoop -f /path/to/file

4. Programming/Script-Based Solutions

Python Example:

Use the watchdog library for tracking file access.

python
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler
import time

class FileAccessHandler(FileSystemEventHandler):
    def on_modified(self, event):
        print(f"Modified: {event.src_path}")

    def on_opened(self, event):
        print(f"Opened: {event.src_path}")

path = "/path/to/watch"
observer = Observer()
observer.schedule(FileAccessHandler(), path=path, recursive=False)
observer.start()

try:
    while True:
        time.sleep(1)
except KeyboardInterrupt:
    observer.stop()

observer.join()

Best Practices:

  • Use centralized logging for audit trails (e.g., ELK Stack or Windows Event Forwarding).

  • Regularly rotate and backup audit logs.

  • Monitor using SIEM tools for real-time alerts and correlation.

Let me know the OS or setup you’re using if you need a more tailored approach.

Share This Page:

Enter your email below to join The Palos Publishing Company Email List

We respect your email privacy

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Out Our Newest Posts we wrote about

Categories We Write About