How can I see which applications have accessed a certain file within a given time period on Linux?

Question

Is it possible on Linux to find out which applications have accessed a certain file in the last 24 hours?

I've come with a few possible solutions:

Watch lsof. It works, but it's constrained to watch's granularity.
inotify sounds good... but no information of the application accessing the file is provided.
auditd may be useful, but I haven't checked that yet.

What ways can I see which applications have accessed a certain file within a given time period?

I assume that you're using a posix operating system since you mention `lsof` and other utilities. — Wesley, Mar 21 '12 at 00:23

score 1 · Accepted Answer · answered Mar 21 '12 at 02:15

1

auditd would be the way to go for this. Here's a quick tutorial on how to accomplish monitoring a file. You'll have to setup a watch on the file beforehand though.

answered Mar 21 '12 at 02:15

Kyle

1,589
9
14

How can I see which applications have accessed a certain file within a given time period on Linux?

1 Answers1