I need to know the full history of a file, like if someone changed or moved it to some other places since the time when it is created.
Asked
Active
Viewed 623 times
5
-
You can use audit logging to do this, but it requires being set up: http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html. Search through this site looking for auditd, there are examples here as well. – slm Nov 07 '13 at 13:25
-
See the closely related question Access history of a file. After the fact, it's too late. There are ways to set up monitoring which will let you know about subsequent actions. – Gilles 'SO- stop being evil' Nov 07 '13 at 22:19
1 Answers
7
In general, you can't. The metadata guaranteed to be stored is always that of the latest revision, and any other metadata could be overwritten at any moment.
If your environment is potentially hostile, consider using an the kernel audit subsystem to audit and log the rename() and write() syscalls. This is fairly unwieldy, however, because you will log extreme volumes of data that you probably don't care about. You could also limit your auditing to a subset of files which you care about, if you like.
If this is mostly for revision, consider using a version control system, like Git. This allows users to keep tabs on file states effectively through time, and is much more user friendly than navigating backwards through an audit log. It can do all the things you asked for, and much more.
Runium
- 28,811
Chris Down
- 125,559
- 25
- 270
- 266
-
Some folks use rcs for versioning local files, as the archive/log is stored local, plaintext. – ChuckCottrill Nov 08 '13 at 02:50