2

A remote system does know my IP. How to monitor which files are accessed?

sudo netstat -tunapl

gives me the respective IP, I look for a more detailed information.

Improve this question
6
  • 3
    Do you have auditd activated? Commented Nov 11 at 15:02
  • 1
    From my sight of view autitd is the answer, a detailed description howto use would be nice. E.g.: A log-file of all accessed files by a known remote-IP. Commented Nov 11 at 16:42
  • 10
    What is the OS? There is a hint it is some *nix, still the OS shall be stated explicitly. Commented Nov 11 at 17:55
  • 11
    What kind of an access does the remote system have? SSH? NFS? SMB? Something else? Just knowing the IP address provides no access to any files. Commented Nov 12 at 11:14
  • 14
    "A remote system does know my IP" - that doesn't mean anything. What sort of access does the system really have? Commented Nov 12 at 14:22

2 Answers 2

Reset to default
12

One possible solution is to use auditd. This daemon can log the access to files and you can filter them by different criterias.

  • determinate as which user are accessed files. You can check if you have logins, SMB, NFS.

  • Install auditd: dnf install auditd or apt-get install auditd audispd-plugins

  • run the daemon: systemctl -now enable auditd

  • add rule to monitor all file operations:

    auditctl -a exit,always -S open -k file_ops

  • to add operation for particular directory and specific file operations you can exec something like:

    auditctl -w /home/user/git/ -p r -k read_only ops

After -p you can use

r - track Read w - track Write x - track eXecute a - track Attributes

  • to add operation for particular directory and user you can exec something like:

    auditctl -w /home/user/git/ -F auid=<userID> -k specific_user ops

To search for specific event you can use something like:

ausearch -i -k <key_name>

(search by key)

ausearch -i -u <audit_user_id>

(search by user)

Improve this answer
0
2

In addition to the answer talking about auditd, you could try to use : lsof -Pn to see more details on what process accesses what file or fd (file descriptors).

  • The options makes it show the numeral ip and ports (which I find easier to use than their translations, usually)
  • lsof will show you a lot of informations. There are many options but -Pn is my go-to.
  • As "everything" is a file on Linux, lsof will also show you connections, etc (and which pid is using it), which may help in your case if you see one end of it be a remote ip that you find suspicious.

Then when you see a specific pid that seems to look at something suspicious, you could even try to strace -f -p pid -o /var/tmp/output_of_strace to "follow" every system calls made by that pid.

  • -f also follows childs of that pid and not just that pid.
  • -o outputfile redirects the output to a file as it is VERY verbose usually
  • you can : tail -f /var/tmp/output_of_strace from another terminal if you want to follow it "live")
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.