This content has been marked as final. Show 5 replies
If you want to find out who changes a file you first need to enable file auditing of the directory of file. By default the audit daemon is running, but not configured to monitor your file or directory access.1 person found this helpful
su - root touch /watchme chmod 777 watchme auditctl -w /watchme -p war -k watchme-file adduser dude su - dude touch /watchme exit ausearch -k watchme-file
Do I have to do this as a root? I can not su as a root.
Yes, the audit utilities are in /sbin and require super-user (root) access privileges.
I do not have root access. Do you know if I have any other options?
If the administrator has added your account to the /etc/sudoers command you could try to use the following to gain root access or run the audit utility using root privileges. When prompted for password, enter your own account password.1 person found this helpful
Otherwise, you are out of luck and need to consult your system administrator. Or boot the machine into single user mode to reset the root password if you have system console access.
sudo su - sudo auditctl