5 Replies Latest reply: Mar 28, 2013 12:53 PM by Dude! RSS

    Who changes my files?

    870050
      Can someone tell me the command to find out who was the last user to change a file?
        • 1. Re: Who changes my files?
          Dude!
          If you want to find out who changes a file you first need to enable file auditing of the directory of file. By default the audit daemon is running, but not configured to monitor your file or directory access.

          For instance:
          su - root
          touch /watchme
          chmod 777 watchme
          auditctl -w /watchme -p war -k watchme-file
          adduser dude
          su - dude
          touch /watchme
          exit
          ausearch -k watchme-file
          • 2. Re: Who changes my files?
            870050
            Do I have to do this as a root? I can not su as a root.
            • 3. Re: Who changes my files?
              Dude!
              Yes, the audit utilities are in /sbin and require super-user (root) access privileges.
              • 4. Re: Who changes my files?
                870050
                I do not have root access. Do you know if I have any other options?
                • 5. Re: Who changes my files?
                  Dude!
                  If the administrator has added your account to the /etc/sudoers command you could try to use the following to gain root access or run the audit utility using root privileges. When prompted for password, enter your own account password.
                  sudo su -
                  sudo auditctl
                  Otherwise, you are out of luck and need to consult your system administrator. Or boot the machine into single user mode to reset the root password if you have system console access.