inotify - 如何找出哪个用户修改了文件? [英] inotify - how to find out which user has modified file?
问题描述
我正在寻找关于如何找出哪个用户修改了特定文件的指导。虽然inotify是很好的通知当一个特定的文件被触摸,我怎么知道哪个用户已经修改该文件?我可以考虑使用lsof,但是恐怕可能不像我想要的那样实时,也可能对资源征税太多。通过实时,我的意思是,如果用户只是执行一个触摸命令对一个文件,当我运行 lsof 在文件上,它可能不会被 lsof 拾取。
您可以使用 audit deamon :
sudo apt-get install auditd
选择要监视的文件
touch / tmp / myfile
为写入和属性更改添加审计c $ c> -p wa ):
sudo auditctl -w / tmp / myfile -p wa -k my-file-changed
文件被某个用户触及:
$ p $
touch / tmp / myfile
检查审计日志:
sudo ausearch -k my-file-changed | tail -1
您可以看到 UID 在输出中运行命令的用户
lockquote
type = SYSCALL msg = audit(1313055675.066:57):arch = c000003e syscall = 2
success = yes exit = 3 a0 = 7ffffb6744dd a1 = 941 a2 = 1b6 a3 = 7ffffb673bb0
items = 1 ppid = 3428 pid = 4793 auid = 4294967295 = 1000 gid = 1000 euid = 1000
suid = 1000 fsuid = 1000 egid = 1000 sgid = 1000 fsgid = 1000 tty = pts1 $ b $ se ses = 4294967295 comm =touchexe =/ bin / touchkey =my -file-changed
I'm looking for guidance on how to find out which user has modified a particular file. While inotify is great to get notification when a particular file is touched, how do I figure out which user has modified that file? I can think of using lsof but I'm afraid that it may not be as "realtime" as I want and/or it might be too much of a tax on resources. By realtime, I mean that if a user simply executes a touch command on a file, by the time I run lsof on file, it may not be picked up by lsof.
You can use audit deamon:
sudo apt-get install auditd
Choose a file to monitor
touch /tmp/myfile
Add audit for write and attribute change (-p wa):
sudo auditctl -w /tmp/myfile -p wa -k my-file-changed
The file is touched by some user:
touch /tmp/myfile
Check audit logs:
sudo ausearch -k my-file-changed | tail -1
You can see the UID of the user who run the command in the output
type=SYSCALL msg=audit(1313055675.066:57): arch=c000003e syscall=2 success=yes exit=3 a0=7ffffb6744dd a1=941 a2=1b6 a3=7ffffb673bb0 items=1 ppid=3428 pid=4793 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/bin/touch" key="my-file-changed"
For details of usage see man pages or this sample guide.
这篇关于inotify - 如何找出哪个用户修改了文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
