LinuxQuestions.org - How to find out who has modified/edited a file?

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - How to find out who has modified/edited a file? (https://www.linuxquestions.org/questions/linux-software-2/how-to-find-out-who-has-modified-edited-a-file-859017/)

How to find out who has modified/edited a file?

Background:

I use RadHat Linu5.

We usually log in to LINUX via putty (remote). Very often many people use the same user and password to log in.

My question:
I wonder how to tell who has edited/modified a file?

Any idea?

Thomas

Well the long way would to do a ls -l and check the modify date; once you have the time, you can then cat /var/log/securelooking to see who was on around that time.... and then trace the ip address to a workstation name. "if they are using different computers"

Many thanks! This is what I want to know.

to clean up that secure log and look for exactly ssh attempts do:

cat /var/log/secure |grep "Accepted Password"

that should show who and what time and ip

Sorry, I have to add some comment:

Here is what I tried as you wrote.

I've created a file test.txt under /home/jb51/temp.

Code:

[root@s003ap19-test ~]# ls -la /home/jb51/temp/

total 3

drwxr-xr-x  2 jb51 jboss 1024 Jan 27 16:04 .

drwx------  3 jb51 jboss 1024 Jan 27 16:04 ..

-rw-r--r--  1 jb51 jboss  15 Jan 27 16:04 test.txt

One can also tell the IP-Address of my computer. But how can one confirm this file is modified by me, since the file name can not be found in /var/log/secure? Maybe at the same time someone else also loged in and created another file?

Code:

[root@s003ap19-test ~]# cat /var/log/secure

Jan 24 13:07:22 s003ap19-test sshd[11011]: Accepted keyboard-interactive/pam for jb51 from ::ffff:130.144.171.13 port 1600 ssh2

Jan 24 13:10:41 s003ap19-test sudo:    jb51 : /etc/sudoers is mode 0640, should be 0440 ; TTY=pts/0 ; PWD=/home/jb51 ; USER=root ; COMMAND=service jb51

Jan 24 13:10:52 s003ap19-test sudo:    jb51 : /etc/sudoers is mode 0640, should be 0440 ; TTY=pts/0 ; PWD=/home/jb51 ; USER=root ; COMMAND=service jb51

Jan 24 13:13:09 s003ap19-test sudo:    jb51 : /etc/sudoers is mode 0640, should be 0440 ; TTY=pts/0 ; PWD=/home/jb51 ; USER=root ; COMMAND=service jb51 status

Jan 24 13:17:16 s003ap19-test sudo:    jb51 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/jb51 ; USER=root ; COMMAND=service jb51 status

Jan 26 14:23:49 s003ap19-test sshd[25677]: Accepted keyboard-interactive/pam for jb51 from ::ffff:130.144.171.13 port 4797 ssh2

Jan 27 16:04:12 s003ap19-test sshd[720]: Accepted keyboard-interactive/pam for jb51 from ::ffff:130.144.171.13 port 3128 ssh2

[root@s003ap19-test ~]#

Quote:

Originally Posted by zer0signal (Post 4239531)

to clean up that secure log and look for exactly ssh attempts do:

cat /var/log/secure |grep "Accepted Password"

that should show who and what time and ip

I tired this but got nothing shown :confused::

Code:

[root@s003ap19-test ~]# cat /var/log/secure |grep "Accepted Password"

[root@s003ap19-test ~]#

sorry

try

cat /var/log/secure |grep "Accepted password"

lower case 'p' =P

As for who modified, I dont know because everyone uses the same login id.. Off the top of my head would be to cross reference IP address, and login time, and date modified stamp of file.. To get a close idea of who it might be...

Maybe someone else here might know of a way to def tell who modified it.

But with it being the same login ID for each SSH session... This the only way I am able to think of to try and get as close as you can to who it was...