Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Would like help becoming comfortable with Gentoo, AV Linux, maybe Arch
Posts: 8
Rep:
Is there a file access history in Linux?
You know how in Windows, you can look up the history (in Windows Explorer, I think) of files that have been opened on the system? Is there a similar way to do that on Linux? I ask because I would want to clear that history all the time.
Auditd can but it has to be configured... I could be wrong but I don't believe there is anything that will track that by default. Obviously an lsof will list all files that are currently open by a user/process but nothing that tracks who opened what files by default.
That's true. However, that's not a file access history. It only shows files you accessed via the cli not a list of all files accessed. But that is something I should have thought about in my initial response. Files you accessed via a GUI application will not show up in the history list or files opened by a script you launch from the cli. It will only show files you directly specify in your command history.
File access logging produces such a flood of entries that it is basically useless in practice. Thousands of files might be opened and closed, each and every second.
Logic to update the "time last accessed" information is usually turned off for much the same reason: it simply causes too many disk writes that could be better spent doing useful things.
You could obtain a list of all modified files in a specified period...
So you could get a list of all the files that have been amended in any significant way...
You need to tell us which desktop environment you are using. Gnome-based desktop environments, for example, normally keep a list of most recently accessed files (e.g. /.local/share/recently-used.xbel on my Mint 18.1 MATE system).
This might be of interest to you (read through the whole thing to get ideas before trying anything - the final solution will be specific to your setup):
Be aware that applications themselves, including your file manager, very often keep most recently used lists - you may want to switch those off on a per-application basis.
even if you deleted such a history in a GUI, it can be figured out from the CLI since all files have three time stamps, Access, Modify and Change.
You can disable the updating of Access time stamps (via noatime & nodiratime mount options) but Modify and Change would still function if there were changes to the file or it were updated.
Just to note, these time stamps only indicate the when and not the who.
Welcome BACK! How's things been going over past 2.4years? IF AV Linux, try this search:
recently used files xcfe desktop
Wikipedia will tell you that linux more literally means kernel, seperate from each distribution's choice of DE, Desktop Environment.
Except that the access/modify/change time-stamps to read-only files are not normally updated, since that would require a wasted file update.
But how do you know the files in question are read-only, I see no such mention as such other than by yourself. The OP never specified what files they are talking about, it seems however they were probably on about ALL files, not just some files that might be read-only.
There's fam, file alteration monitor or some such. But it has to be installed and configured and running when files are altered. Or at least there used to be, maybe it got ate by systemd. In general about the only thing tracked without configuration is last access time, which can also be disabled (noatime). For linux, most everything is a file, to include devices, so tracking them would be a daunting task and probably not on by default for most distros. If you're paranoid, run something like puppy linux or tails that runs in ram. Or other read-only live distros. Or do fresh installs often and wipe your partitions clean, plus encrypted partitions for those devices that don't wipe easily.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.