Linux inotify - 如何找出哪个用户修改了文件?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6920812/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
inotify - how to find out which user has modified file?
提问by user837208
I'm looking for guidance on how to find out which user has modified a particular file. While inotify is great to get notification when a particular file is touched, how do I figure out which user has modified that file? I can think of using lsof but I'm afraid that it may not be as "realtime" as I want and/or it might be too much of a tax on resources. By realtime, I mean that if a user simply executes a touchcommand on a file, by the time I run lsofon file, it may not be picked up by lsof.
我正在寻找有关如何找出哪个用户修改了特定文件的指南。虽然 inotify 非常适合在触摸特定文件时获得通知,但我如何确定哪个用户修改了该文件?我可以考虑使用 lsof 但恐怕它可能不像我想要的那样“实时”和/或它可能对资源征税太多。实时,我的意思是,如果用户只是touch对文件执行命令,当我运行lsof文件时,它可能不会被lsof.
采纳答案by Pawe? Nadolski
You can use audit deamon:
您可以使用审计守护程序:
sudo apt-get install auditd
Choose a file to monitor
选择要监控的文件
touch /tmp/myfile
Add audit for write and attribute change (-p wa):
添加对写入和属性更改 ( -p wa) 的审计:
sudo auditctl -w /tmp/myfile -p wa -k my-file-changed
The file is touched by some user:
该文件被某个用户触及:
touch /tmp/myfile
Check audit logs:
检查审计日志:
sudo ausearch -k my-file-changed | tail -1
You can see the UIDof the user who run the command in the output
您可以UID在输出中看到运行该命令的用户的
type=SYSCALL msg=audit(1313055675.066:57): arch=c000003e syscall=2 success=yes exit=3 a0=7ffffb6744dd a1=941 a2=1b6 a3=7ffffb673bb0 items=1 ppid=3428 pid=4793 auid=4294967295 uid=1000gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/bin/touch" key="my-file-changed"
键入= SYSCALL味精=审计(1313055675.066:57):拱= c000003e系统调用= 2次成功=是出口= 3 A0 = 7ffffb6744dd A1 = 941 A2 = 1B6 A3 = 7ffffb673bb0项= 1 PPID = 3428 PID = 4793 AUID = 4294967295的uid = 1000gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/bin-file-touch" key="my
For details of usage see man pagesor this sample guide.
回答by user2894438
If you add -i option in the earlier command, you will get output in more human readable format. You will get the uid converted to the real username in the server.
如果在前面的命令中添加 -i 选项,您将获得更易读的格式输出。您将在服务器中将 uid 转换为真实的用户名。
ausearch -k my-file-changed -i | tail -1
ausearch -k my-file-changed -i | 尾-1
