Is there a command to display a list of users who modified a file providing a file history?
I know that possible with svn/git etc.. but we have a config file that is not in SVN and someone modified it.
Asked
Active
Viewed 5.2k times
2 Answers
13
If you have not previously enabled some sort of auditing, there is not a tool that can report this after the file has been modified. You can get the date and time of when the file was last modified, but not a revision history.
Moving forward, you could install, setup, enable the auditd package.
From the auditctl man page:
-w path
Insert a watch for the file system object at path. You cannot insert
a watch to the top level directory. This is prohibited by the kernel.
Wildcards are not supported either and will generate a warning. The way
that watches work is by tracking the inode internally. If you place a
watch on a file, its the same as using the -F path option on a
syscall rule. If you place a watch on a directory, its the same as using
the -F dir option on a syscall rule. The -w form of writing watches
is for backwards compatibility and the syscall based form is more
expressive. Unlike most syscall auditing rules, watches do not impact
performance based on the number of rules sent to the kernel. The only
valid options when using a watch are the -p and -k. If you need to
anything fancy like audit a specific user accessing a file, then use
the syscall auditing form with the path or dir fields.
There is more discussion about this in the question Logging hidden file creations
2
Here some discussing to hacking with inotify to make it provide you with PID and UID. http://www.ioremap.net/node/55
Also look at Audit http://andries.filmer.nl/kb/Monitoring-file-system-events-with-inotify,-incron-and-authctl/129#Audit
Boris Ivanov
- 236