The name of a user modifying a file is not stored in the file system, only the user ID of the user that
created the file.
To log the UID of users accessing a file, you'll need to audit file system operations. You may want to install the "audit" package for your distribution and check out the man pages for
auditd,
auditctl and
ausearch.
As for the IP or MAC address of the user's workstation, that's not something you'll find in the audit log because that information exists way down in the network stack:
The file is being accessed by a
user who has opened a
session from a
host with a specific
IP address bound to an
Ethernet MAC address.
You didn't mention how the files are being accessed over the network. The IP address of the host from where the user is opening a session may be logged by whatever server process is serving the file (NFS, samba, a web server or something else entirely).
The IP/MAC binding only exists in the ARP cache of the server while the session is active, and that is assuming the server and client is on the same network. I guess you could log this information with an
iptables rule, but that log could get huge quickly if you have lots of users accessing lots of files. The performance impact would probably be significant as well.
If the client is on a different network/subnet, the server will only see the MAC address of the next-hop router.
