V-Tech Posted August 23, 2014 Share Posted August 23, 2014 Hi everyone, Quick question here, is there a way to "follow" a file in Linux OS. Meaning, to see who edited the file and when it was edited. Not only by users but if a process of some sort made a change to a file. Is there a thing like this? Thanks in advance. Link to comment Share on other sites More sharing options...
ichi Posted August 23, 2014 Share Posted August 23, 2014 You can use auditd and create a rule for a file or directory: sudo auditctl -w /path/toaudit -k rule-name It will log all the access attempts on those files, both successful and failed. To check the logs for a specific rule: sudo ausearch -k rule-name There's also inotify, which isn't security oriented and will notify about changes in the files or directories you want to track but without specifying which user did those changes. It can be useful to perform automatic actions triggered by changes in files (eg. reload a service when it's configuration file changes). Both work in realtime, using kernel features to track those changes rather than polling. Aergan 1 Share Link to comment Share on other sites More sharing options...
V-Tech Posted August 23, 2014 Author Share Posted August 23, 2014 Hi ichi, Thanks for the info, this looks exactly what i need. One question, does this survive reboot or after each reboot of the machine i will have to make a new rule? Link to comment Share on other sites More sharing options...
ichi Posted August 23, 2014 Share Posted August 23, 2014 The rules are stored in /etc/audit.rules (or /etc/audit/audit.rules depending on the distro) and are loaded on boot. You can actually manually write (or modify) the rules in that file instead of using the auditctl command, if you want. Link to comment Share on other sites More sharing options...
V-Tech Posted August 23, 2014 Author Share Posted August 23, 2014 Thanks a lot for the assistance! Link to comment Share on other sites More sharing options...
Recommended Posts