HPE Community
Operating System - HP-UX
1753912 Members
8513 Online
108810 Solutions
New Discussion юеВ

Last time an executable file was run

 
SOLVED
Go to solution
Gilbert Standen_1
Frequent Advisor

тАО12-23-2006 09:55 AM

тАО12-23-2006 09:55 AM

Last time an executable file was run

Hi,
I'm wondering if there is a way to list files and show the last time a file was run. Not the last time it was accessed for edit, but the last time it was executed. This would be very useful for situation where I've been developing and have older versions of a script in the same directory, and want to be sure which ones are actually executing and being called, etc. Best Regards, Gil
If I could take one thing with me into the next world it would be my valid login to HP ITRC Forums
0 Kudos
Reply
6 REPLIES 6
James R. Ferguson
Acclaimed Contributor

тАО12-23-2006 11:52 AM

тАО12-23-2006 11:52 AM

Solution

Re: Last time an executable file was run

Hi Gilbert:

The 'atime' (last access timestamp) will be updated any time a file is read or executed. No "last execution" time is available.

For what it's worth, for non-root users to execute a file that requires interpretation, as for instance as a shell or Perl script, the user must also have read-access to be able to execute it.

Regards!

...JRF...
Reply
Joel Girot
Trusted Contributor

тАО12-25-2006 07:45 PM

тАО12-25-2006 07:45 PM

Re: Last time an executable file was run

Hi Gilbert,
you can add in your script this line to know the date and time of each execution :
touch /tmp/$(basename ${0})_$(date +%y%m%d)_$(date +%H%M).log

Best regards
Joel
Reply
SANTOSH S. MHASKAR
Trusted Contributor

тАО12-25-2006 09:48 PM

тАО12-25-2006 09:48 PM

Re: Last time an executable file was run

Hi Gilbert,

It is not possible to get the time when a
file last executed.

U can log the execution time by adding few lines
in the executable if it is a text file as suggested by Joel,

Add these lines to the script

# Start of script

echo "`dirname $0`/`basename $0` executed at time `date` by user `id -un`" > /tmp/some_logfile

ur script

# End of script

OR if the file is binary then call this file
from a script as follows

# Start of script

echo "`dirname $0`/`basename $0` executed at time `date` by user `id -un`" > /tmp/some_logfile

with arguments

# End of Script


-Santosh
Reply
SANTOSH S. MHASKAR
Trusted Contributor

тАО12-25-2006 09:55 PM

тАО12-25-2006 09:55 PM

Re: Last time an executable file was run

Sorry, a small typing mistake

Pl. read

echo "`dirname $0`/`basename $0` executed at time `date` by user `id -un`" >> /tmp/some_logfile

instead of

echo "`dirname $0`/`basename $0` executed at time `date` by user `id -un`" > /tmp/some_logfile

so that the file /tmp/some_logfile will not get
overwritten

-Santosh
Reply
Gilbert Standen_1
Frequent Advisor

тАО01-02-2007 11:21 AM

тАО01-02-2007 11:21 AM

Re: Last time an executable file was run

Excellent insights all. When we say "last time a file was read" (atime) what are we talking about? Doing a "cat" or a "more" -- that is not a "read" is it? If I vi a file and save it without changing the file (q!) is that a read? It is mentioned in one post that whenever a file is "executed or read"...so "atime" would tell you only that it was executed OR it was read, but would not allow you to know which event had occurred, whereas the method of embedding some code would tell you that information. It surprises me that the OS does not track this, because you would think from a security standpoint an admin would want a way to investigate when and by who an executable was last run. Anyway, I am very grateful for the excellent replies to my post!
If I could take one thing with me into the next world it would be my valid login to HP ITRC Forums
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО01-02-2007 12:14 PM

тАО01-02-2007 12:14 PM

Re: Last time an executable file was run

There are exactly 3 timestamps for all files and directories in Unix. atime means access time so reading a file is accessing a file regardless of whether what tool was used to read the file (vi, kernel scheduler, cron, etc). The access time always changes when the file is opened regardless of what else is done with the file. Execution is Unix is the process of reading the file into memory (or executing an interpreter to execute a script). There is no timestamp for this. If a change is made to the file, then the modification time is also changed. The other time stamp has to do with inode changes which means ownership and permissions.

While it may seem to be an oversight not knowing when a file was executed, that information by itself is not very complete from a security point of view. The administrator or audtior would need to know what user executed the file, what tool was used to start exscution (ie, shell command, script, another program, cron, etc) and all the parameters given to the program through the command line and/or a configuration file.

Proper management of executables requires the use of source code control and version numbers in every production executable. The what command can report on version information and detailed auditing techniques might include logging the what string prior to execution.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.