Inotify - how to find out which user modified the file?

Question

Inotify - how to find out which user modified the file?

I am looking for a guide on how to find out which user modified a particular file. Although inotify is great for receiving notifications when a specific file is affected, how can I find out which user has modified that file? I can think about using lsof, but I'm afraid that it may not be as "real time" as I want, and / or it may be too much a resource tax. In real time, I mean that if the user simply executes the touch command in the file, by the time lsof in the file, it cannot be raised using lsof .

+8

linux filesystems filestream inotify

user837208 Aug 3 '11 at 1:49

source share

2 answers

If you add the -i option to an earlier command, you will get the result in a more readable format. You will get the uid converted to the real username on the server.

ausearch -k my-file-changed -i | tail -1

+2

user2894438 Oct 18 '13 at 11:08

source share

Paweł nadolski · Accepted Answer · 2011-08-11T09:55:48+0000

You can use audit deamon :

 sudo apt-get install auditd

Select a file to monitor.

 touch /tmp/myfile

Add an audit to change the entry and attribute ( -p wa ):

 sudo auditctl -w /tmp/myfile -p wa -k my-file-changed

The file is affected by some users:

 touch /tmp/myfile

Check audit logs:

 sudo ausearch -k my-file-changed | tail -1

You can see the UID user who runs the command on exit

type = SYSCALL msg = audit (1313055675.066: 57): arch = c000003e syscall = 2 success = yes exit = 3 a0 = 7ffffb6744dd a1 = 941 a2 = 1b6 a3 = 7ffffb673bb0 items = 1 ppid = 3428 pid = 4793 auid = 4294967295 uid 1000 gid = 1000 euid = 1000 suid = 1000 fsuid = 1000 egid = 1000 sgid = 1000 fsgid = 1000 tty = pts1 ses = 4294967295 comm = "touch" exe = "/ bin / touch" key = "my-file-changed"

For more information on usage, see the man pages or this sample manual .

Inotify - how to find out which user modified the file?

More articles: