HPE Community
Operating System - HP-UX
1825764 Members
2141 Online
109687 Solutions
New Discussion

file access info

 
Henry Chua
Super Advisor

‎06-08-2005 08:20 PM

‎06-08-2005 08:20 PM

file access info

Hi Guys,

Just curious to know, is there anyway I can know when a executable file has been used? and if it was called by another program can I know which program was doing the call?

If not can I write a program to keep any of this future information in a log file, how can this be done?

Thank u

0 Kudos
Reply
8 REPLIES 8
Muthukumar_5
Honored Contributor

‎06-08-2005 08:30 PM

‎06-08-2005 08:30 PM

Re: file access info

You can get the file access information with,

ls -lu

We can find the execution of specific file with history file or system auditing.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Henry Chua
Super Advisor

‎06-08-2005 09:24 PM

‎06-08-2005 09:24 PM

Re: file access info

Hi Muthu,

Thank you for the info. Can you elaborate on the latter suggestion? does HPUX has a history or audit application i can utilise in this case. Or should I write a script to do this?

Best regards
Henry
0 Kudos
Reply
jpcast_real
Regular Advisor

‎06-08-2005 09:32 PM

‎06-08-2005 09:32 PM

Re: file access info

Henry ,

You can enable the auditory in the server . However I prefer to create a centralized store for all the histories of every user .

I have introduced in my /etc/profiles

USER1=`id -nu`
USER2=`who am i | awk '{print $1}'`
tty=`who am i | awk '{ print $2 }'`
FROM=`who -a | grep -i $tty | awk '{print $NF }'`
SCREEN=`who -u -m | awk '{ print $NF }'| sed 's/:/ /g' | awk '{ print $1 }'`
export DISPLAY=$SCREEN:0.

TTYTEMP=`tty`
TTY=`basename $TTYTEMP`
FECHA=`date +%d%b%Y`
HORA=`date +%H%M%S`
export HISTFILE=/.history/${USER1}-${USER2}.${TTY}.${FECHA}.${HORA}
export PS1=`hostname`':$PWD> '
EDITOR=vi
export $EDITOR

It creates a history for each user in a "hidden" folder
Here rests one who was not what he wanted and didn't want what he was
0 Kudos
Reply
Devender Khatana
Honored Contributor

‎06-08-2005 09:38 PM

‎06-08-2005 09:38 PM

Re: file access info

Hi,

For history we export these two lines in /etc/profile for all users or for a indivisual user in his .profile.

export HISTFILE="/path_to_file/$LOGNAME"
export HISTSIZE=1000

Here /path_to_file directory should be writable by user for which you are exporting history.
This will create a file with user name in this directory.

HTH,
Devender
Impossible itself mentions "I m possible"
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎06-08-2005 09:39 PM

‎06-08-2005 09:39 PM

Re: file access info

We can get the history of each user information with /etc/profile setting as,

set -o $EDITOR
HISTFILE=$HOME/.sh_history_$LOGNAME_$(date +'%d-%m-%y_%X')
HISTSIZE=1000

so that it will create history information in users home page with .sh_history_(login name_ date_time)


If you want to audit the user command execution then you have turn your system into trusted one.

You have to use /usr/lbin/tsconvert utility to do it or using sam also u can do it.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Henry Chua
Super Advisor

‎06-08-2005 09:42 PM

‎06-08-2005 09:42 PM

Re: file access info

Hi Javier,

Thank you for the info.. actually my problem is that a program (say X) running on my workstation seems to behave strangely, as it is an object files, i can't see their content. But I seriouly will like to know which program running on the background is executing X and when the execution is being carried out? Can this be done?

Best regards
Henry
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎06-08-2005 11:08 PM

‎06-08-2005 11:08 PM

Re: file access info

X process will be startup process for the session so that you can it with who -u. IF some is using x windows who -u will give that command. Process ID will be in that execution.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Devesh Pant_1
Esteemed Contributor

‎06-09-2005 05:02 PM

‎06-09-2005 05:02 PM

Re: file access info

Henry,
try to find the pid of the original x session that starts then you can do a grep for the pid that is running the x program.
ps -ef| grep pid

This will give you quite a few.
if you want a specific filesystem details,
you can do a
fuser -c /var
and that will give you all the pids accessing any files on say /var
Try to match the pid of your original x program or it's children to the list you just got from fuser.

Devesh
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.