I'm looking for guidance on how to find out which user has modified a particular file. While inotify is great to get notification when a particular file is touched, how do I figure out which user has modified that file? I can think of using lsof but I'm afraid that it may not be as "realtime" as I want and/or it might be too much of a tax on resources. By realtime, I mean that if a user simply executes a touch command on a file, by the time I run lsof on file, it may not be picked up by lsof.
我正在寻找有关如何找出哪个用户修改了特定文件的指导。虽然inotify非常适合在触摸特定文件时获取通知,但我如何确定哪个用户修改了该文件?我可以想到使用lsof,但我担心它可能不像我想要的那样“实时”和/或它可能对资源征税太多。通过实时,我的意思是,如果用户只是在文件上执行触摸命令,那么当我在文件上运行lsof时,它可能不被lsof拾取。
2 个解决方案
#1
12
You can use audit deamon:
您可以使用审计守护程序:
sudo apt-get install auditd
Choose a file to monitor
选择要监控的文件
touch /tmp/myfile
Add audit for write and attribute change (-p wa):
为写入和属性更改添加审计(-p wa):
sudo auditctl -w /tmp/myfile -p wa -k my-file-changed
The file is touched by some user:
某些用户触摸该文件:
touch /tmp/myfile
Check audit logs:
检查审核日志:
sudo ausearch -k my-file-changed | tail -1
You can see the UID of the user who run the command in the output
您可以在输出中看到运行该命令的用户的UID
type=SYSCALL msg=audit(1313055675.066:57): arch=c000003e syscall=2 success=yes exit=3 a0=7ffffb6744dd a1=941 a2=1b6 a3=7ffffb673bb0 items=1 ppid=3428 pid=4793 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/bin/touch" key="my-file-changed"
type = SYSCALL msg = audit(1313055675.066:57):arch = c000003e syscall = 2 success = yes exit = 3 a0 = 7ffffb6744dd a1 = 941 a2 = 1b6 a3 = 7ffffb673bb0 items = 1 ppid = 3428 pid = 4793 auid = 4294967295 uid = 1000 gid = 1000 euid = 1000 suid = 1000 fsuid = 1000 egid = 1000 sgid = 1000 fsgid = 1000 tty = pts1 ses = 4294967295 comm =“touch”exe =“/ bin / touch”key =“my-file-changed”
For details of usage see man pages or this sample guide.
有关用法的详细信息,请参阅手册页或本示例指南。
#2
2
If you add -i option in the earlier command, you will get output in more human readable format. You will get the uid converted to the real username in the server.
如果在前面的命令中添加-i选项,则将以更易读的格式输出。您将获得uid转换为服务器中的真实用户名。
ausearch -k my-file-changed -i | tail -1
ausearch -k my-file-changed -i |尾巴-1
#1
12
You can use audit deamon:
您可以使用审计守护程序:
sudo apt-get install auditd
Choose a file to monitor
选择要监控的文件
touch /tmp/myfile
Add audit for write and attribute change (-p wa):
为写入和属性更改添加审计(-p wa):
sudo auditctl -w /tmp/myfile -p wa -k my-file-changed
The file is touched by some user:
某些用户触摸该文件:
touch /tmp/myfile
Check audit logs:
检查审核日志:
sudo ausearch -k my-file-changed | tail -1
You can see the UID of the user who run the command in the output
您可以在输出中看到运行该命令的用户的UID
type=SYSCALL msg=audit(1313055675.066:57): arch=c000003e syscall=2 success=yes exit=3 a0=7ffffb6744dd a1=941 a2=1b6 a3=7ffffb673bb0 items=1 ppid=3428 pid=4793 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/bin/touch" key="my-file-changed"
type = SYSCALL msg = audit(1313055675.066:57):arch = c000003e syscall = 2 success = yes exit = 3 a0 = 7ffffb6744dd a1 = 941 a2 = 1b6 a3 = 7ffffb673bb0 items = 1 ppid = 3428 pid = 4793 auid = 4294967295 uid = 1000 gid = 1000 euid = 1000 suid = 1000 fsuid = 1000 egid = 1000 sgid = 1000 fsgid = 1000 tty = pts1 ses = 4294967295 comm =“touch”exe =“/ bin / touch”key =“my-file-changed”
For details of usage see man pages or this sample guide.
有关用法的详细信息,请参阅手册页或本示例指南。
#2
2
If you add -i option in the earlier command, you will get output in more human readable format. You will get the uid converted to the real username in the server.
如果在前面的命令中添加-i选项,则将以更易读的格式输出。您将获得uid转换为服务器中的真实用户名。
ausearch -k my-file-changed -i | tail -1
ausearch -k my-file-changed -i |尾巴-1