Solaris / OpenSolarisThis forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This may be an impossible task, but being a bit of a noob, I have to ask.
Is there any way to find out which user last made any sort of changes to a file?
e.g. lets say that a config file is changed, and it doesn't work any more - and of course, when you ask around "nobody touched that file". Is there any way to find out who last changed it? or is there absolutely no record of that sort?
(using multiple flavours of Solaris, in case that makes a difference)
Moved: This thread is more suitable in <SOLARIS> and has been moved accordingly to help your thread/question get the exposure it deserves.
I seem to recall that Solaris has some sort of auditing features, but if people happen
to log in via ssh as the same user you'd need to try and match their IPs from the output
of last to the time the file was last modified. Of course that's not fool-proof since
several could have been logged in at the same time.
Ideally you'd want to avoid that kind of stuff happening by using CVS (or similar)
and have configuration changes polled via daemon or so. (Or use cfengine or other
tools to achieve the desired effect).
Distribution: Slackware / Debian / *Ubuntu / Opensuse / Solaris uname: Brian Cooney
Posts: 503
Rep:
If you have a bunch of people running around with a root password and su access, your pretty boned.
If you want to prevent this sort of thing in the future, you need to learn how to properly set up, use, and write secure rules for sudo. Not only does it allow you to allow people to only run the commands they need, and possibly only edit the files they need to edit, but it allows you to audit who did what if you have a tight setup with no evil shell escapes, no sudo bash, and no other loopholes.
Generally everyone here uses their own user names unless they need root access.
It's more of a general question of:
"is there a simple way (without using cvs, etc) to see which user/login last made changes to any arbitrary file?"
I think I have the answer to my question from the above posts anyway. It seems that you either use a versioning system or some kind of 'big brother' auditing daemon...
The simple way to solve this problem (as has been hinted above) is to ensure that the wrong people cannot change files that they are not supposed to.
If you have to have multiple root users (and they should really be competent; maybe that isn't an option open to you!), I think I would ensure that there is no root login; everyone would login as their own user name and su to root only if necessary. You could log that and correlate that to any bad file chages.
Generally everyone here uses their own user names unless they need root access.
It's more of a general question of:
"is there a simple way (without using cvs, etc) to see which user/login last made changes to any arbitrary file?"
While a nice little witch-hunt within the ranks can be quite
refreshing the objective is (should be?) to get the file back
into a working state. Finding who screwed it up won't necessarily
help with that. Neither will an audit daemon... a version
control system will - plus (as a bonus) you'll see WHO made
the change that caused problems on top of that.
While a nice little witch-hunt within the ranks can be quite
refreshing the objective is (should be?) to get the file back
into a working state. Finding who screwed it up won't necessarily
help with that. Neither will an audit daemon... a version
control system will - plus (as a bonus) you'll see WHO made
the change that caused problems on top of that.
Cheers,
Tink
But if you know who screwed up, you have a chance of finding out what they were doing and why. You can also stop them from doing bad things in future, which might be training or something else.
But if you know who screwed up, you have a chance of finding out what they were doing and why. You can also stop them from doing bad things in future, which might be training or something else.
This doesn't really contradict my statement all that much.
It's all a matter of training (and processes), and a version
control system has clear advantages. As you said "you have
a chance". If that change was done 6 months ago, and it only
cropped up now because the machine/service only just got bounced
you're pretty much out of luck, and again, knowing who did it
won't help you at all. It's about a sensible process as far
as I am concerned.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.