2

Suppose an employee came in to the office for a whole day over the weekend and shortly thereafter handed in their notice.

Is there a way on Linux (in our case Centos 7) to eliminate the possibility that data theft occurred? The kind of activity of interest would be zipping up fairly sizeable folders (over 1TB) containing many files - a time consuming process that might be noticed during a work day.

Let's suppose access to the Centos 7 server were from an iMac which connects using NetaTalk (an open source Linux implementation of Apple File Protocol).

Since the majority of files are not accessed frequently - in fact we would expect most to not have been accessed since well before some hypothetical weekend visit - my thoughts are that simple file access logs would be sufficient to betray such activity since it would show all affected files having been accessed on that date.

Is there a way therefore to list access times for large numbers of files on a Linux (Ext4 I think) volume, if no trace is set up in advance, and if so, how?

Improve this question
1
  • 1
    To state the obvious; I would explore any logs produced by NetaTalk. Though you may not have configured it to log enough. I would double check what logs it leaves presumably somewhere inside /var/log Commented Nov 12, 2019 at 10:48

1 Answer 1

Reset to default
3

ls’s -u option can be used to list files with their last access time (instead of the default last modification time):

ls -lu

Since you’re trying to examine large amounts of files, the recursive option could be useful:

ls -luR

You can also list all files accessed in the last two days using find:

find . -atime -2

and multiple specifiers can be combined to specify a date range, for example

find . -atime +10 -atime -13

to find files accessed between 10 and 13 days ago. The -daystart option might be useful if you’re reasoning in calendar days rather than 24-hour periods from the time at which the command is run:

find . -daystart -atime +10 -atime -13
Improve this answer
9
  • actually, sorry to push for more but in response to your time suggestion... This was some weeks ago, but if we could specify a date range this would be ideal. Commented Nov 12, 2019 at 9:47
  • 2
    -u tells ls to use access times; -l tells it to list files with details. So the relevant option is -u, and -lu is an example which shows it being applied; -u can be used without -l, for example with sorting options. Commented Nov 12, 2019 at 9:55
  • 1
    None of this will prove the employee actually stole data, however. Commented Nov 12, 2019 at 17:53
  • 2
    @T.Sar I think it’s more useful the other way, “to eliminate the possibility that data theft occurred” as mentioned in the question — since the data shouldn’t have been accessed for a long time, running find as described here should allow the OP to determine if nothing was accessed in the given time period (although a file could have been accessed then, and again later, and thus not show up in the search results). Commented Nov 13, 2019 at 14:58
  • 2
    Put another way, if nothing turns up in the search and nothing has been accessed since, then data theft didn’t occur (or the person involved ran touch -a afterwards, but that would show up as a ctime change). Commented Nov 13, 2019 at 14:59

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.