Home/ Questions/Q 6238663
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T11:15:15+00:00

I’m looking for guidance on how to find out which user has modified a

  • 0

I’m looking for guidance on how to find out which user has modified a particular file. While inotify is great to get notification when a particular file is touched, how do I figure out which user has modified that file? I can think of using lsof but I’m afraid that it may not be as "realtime" as I want and/or it might be too much of a tax on resources. By realtime, I mean that if a user simply executes a touch command on a file, by the time I run lsof on file, it may not be picked up by lsof.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can use audit deamon:

    sudo apt-get install auditd

    Choose a file to monitor

    touch /tmp/myfile

    Add audit for write and attribute change (-p wa):

    sudo auditctl -w /tmp/myfile -p wa -k my-file-changed

    The file is touched by some user:

    touch /tmp/myfile

    Check audit logs:

    sudo ausearch -k my-file-changed | tail -1

    You can see the UID of the user who run the command in the output

    type=SYSCALL msg=audit(1313055675.066:57): arch=c000003e syscall=2
    success=yes exit=3 a0=7ffffb6744dd a1=941 a2=1b6 a3=7ffffb673bb0
    items=1 ppid=3428 pid=4793 auid=4294967295 uid=1000 gid=1000 euid=1000
    suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1
    ses=4294967295 comm=”touch” exe=”/bin/touch” key=”my-file-changed”

    For details of usage see man pages or this sample guide.

    • 0