LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Is there a file access history in Linux? (https://www.linuxquestions.org/questions/linux-newbie-8/is-there-a-file-access-history-in-linux-4175601933/)

OS-Newb 03-16-2017 01:16 PM

Is there a file access history in Linux?
 
You know how in Windows, you can look up the history (in Windows Explorer, I think) of files that have been opened on the system? Is there a similar way to do that on Linux? I ask because I would want to clear that history all the time.

whynotkeithberg 03-16-2017 02:09 PM

Auditd can but it has to be configured... I could be wrong but I don't believe there is anything that will track that by default. Obviously an lsof will list all files that are currently open by a user/process but nothing that tracks who opened what files by default.

jamison20000e 03-16-2017 02:29 PM

CLI has a history, can tweak in ~/.bashrc

whynotkeithberg 03-16-2017 02:34 PM

Quote:

Originally Posted by jamison20000e (Post 5684338)
CLI has a history, can tweak in ~/.bashrc

That's true. However, that's not a file access history. It only shows files you accessed via the cli not a list of all files accessed. But that is something I should have thought about in my initial response. Files you accessed via a GUI application will not show up in the history list or files opened by a script you launch from the cli. It will only show files you directly specify in your command history.

sundialsvcs 03-16-2017 03:57 PM

File access logging produces such a flood of entries that it is basically useless in practice. Thousands of files might be opened and closed, each and every second.

Logic to update the "time last accessed" information is usually turned off for much the same reason: it simply causes too many disk writes that could be better spent doing useful things.

JeremyBoden 03-16-2017 04:16 PM

You could obtain a list of all modified files in a specified period...
So you could get a list of all the files that have been amended in any significant way...

hydrurga 03-16-2017 07:57 PM

You need to tell us which desktop environment you are using. Gnome-based desktop environments, for example, normally keep a list of most recently accessed files (e.g. /.local/share/recently-used.xbel on my Mint 18.1 MATE system).

This might be of interest to you (read through the whole thing to get ideas before trying anything - the final solution will be specific to your setup):

https://alexcabal.com/disabling-gnom...he-better-way/

Be aware that applications themselves, including your file manager, very often keep most recently used lists - you may want to switch those off on a per-application basis.

JeremyBoden 03-17-2017 12:30 AM

The popular GUI file managers keep a cache of icons of displayed files,
but many or most files are simply used without any presentation to a GUI.

I have only 3,000 files in /etc - but I'm betting the majority are read-only (in normal use).

r3sistance 03-17-2017 10:14 AM

even if you deleted such a history in a GUI, it can be figured out from the CLI since all files have three time stamps, Access, Modify and Change.

You can disable the updating of Access time stamps (via noatime & nodiratime mount options) but Modify and Change would still function if there were changes to the file or it were updated.

Just to note, these time stamps only indicate the when and not the who.

JeremyBoden 03-17-2017 11:23 AM

Except that the access/modify/change time-stamps to read-only files are not normally updated, since that would require a wasted file update.

!!! 03-17-2017 11:44 AM

Welcome BACK! How's things been going over past 2.4years? IF AV Linux, try this search:
recently used files xcfe desktop
Wikipedia will tell you that linux more literally means kernel, seperate from each distribution's choice of DE, Desktop Environment.

r3sistance 03-17-2017 07:44 PM

Quote:

Originally Posted by JeremyBoden (Post 5684783)
Except that the access/modify/change time-stamps to read-only files are not normally updated, since that would require a wasted file update.

But how do you know the files in question are read-only, I see no such mention as such other than by yourself. The OP never specified what files they are talking about, it seems however they were probably on about ALL files, not just some files that might be read-only.

Shadow_7 03-19-2017 05:56 AM

There's fam, file alteration monitor or some such. But it has to be installed and configured and running when files are altered. Or at least there used to be, maybe it got ate by systemd. In general about the only thing tracked without configuration is last access time, which can also be disabled (noatime). For linux, most everything is a file, to include devices, so tracking them would be a daunting task and probably not on by default for most distros. If you're paranoid, run something like puppy linux or tails that runs in ram. Or other read-only live distros. Or do fresh installs often and wipe your partitions clean, plus encrypted partitions for those devices that don't wipe easily.


All times are GMT -5. The time now is 10:51 AM.