How to find out who has modified/edited a file?
Background:
I use RadHat Linu5. We usually log in to LINUX via putty (remote). Very often many people use the same user and password to log in. My question: I wonder how to tell who has edited/modified a file? Any idea? Thomas |
Well the long way would to do a ls -l and check the modify date; once you have the time, you can then cat /var/log/securelooking to see who was on around that time.... and then trace the ip address to a workstation name. "if they are using different computers"
|
Many thanks! This is what I want to know.
|
to clean up that secure log and look for exactly ssh attempts do:
cat /var/log/secure |grep "Accepted Password" that should show who and what time and ip |
Sorry, I have to add some comment:
Here is what I tried as you wrote. I've created a file test.txt under /home/jb51/temp. Code:
[root@s003ap19-test ~]# ls -la /home/jb51/temp/ One can also tell the IP-Address of my computer. But how can one confirm this file is modified by me, since the file name can not be found in /var/log/secure? Maybe at the same time someone else also loged in and created another file? Code:
[root@s003ap19-test ~]# cat /var/log/secure |
Quote:
Code:
[root@s003ap19-test ~]# cat /var/log/secure |grep "Accepted Password" |
sorry
try cat /var/log/secure |grep "Accepted password" lower case 'p' =P |
As for who modified, I dont know because everyone uses the same login id.. Off the top of my head would be to cross reference IP address, and login time, and date modified stamp of file.. To get a close idea of who it might be...
Maybe someone else here might know of a way to def tell who modified it. But with it being the same login ID for each SSH session... This the only way I am able to think of to try and get as close as you can to who it was... |
All times are GMT -5. The time now is 03:21 AM. |