This may be an impossible task, but being a bit of a noob, I have to ask.

Is there any way to find out which user last made any sort of changes to a file?

e.g. lets say that a config file is changed, and it doesn't work any more - and of course, when you ask around "nobody touched that file". Is there any way to find out who last changed it? or is there absolutely no record of that sort?
(using multiple flavours of Solaris, in case that makes a difference)

How is "that file" being accessed using varied flavours of Solaris?


Cheers,
Tink

Just in the bash shell - via putty sessions.

Moved: This thread is more suitable in <SOLARIS> and has been moved accordingly to help your thread/question get the exposure it deserves.


I seem to recall that Solaris has some sort of auditing features, but if people happen
to log in via ssh as the same user you'd need to try and match their IPs from the output
of last to the time the file was last modified. Of course that's not fool-proof since
several could have been logged in at the same time.

Ideally you'd want to avoid that kind of stuff happening by using CVS (or similar)
and have configuration changes polled via daemon or so. (Or use cfengine or other
tools to achieve the desired effect).



Cheers,
Tink

Solaris has a built in versioning software called sccs

For more information

If you have a bunch of people running around with a root password and su access, your pretty boned.

If you want to prevent this sort of thing in the future, you need to learn how to properly set up, use, and write secure rules for sudo. Not only does it allow you to allow people to only run the commands they need, and possibly only edit the files they need to edit, but it allows you to audit who did what if you have a tight setup with no evil shell escapes, no sudo bash, and no other loopholes.

Generally everyone here uses their own user names unless they need root access.

It's more of a general question of:
"is there a simple way (without using cvs, etc) to see which user/login last made changes to any arbitrary file?"

I think I have the answer to my question from the above posts anyway. It seems that you either use a versioning system or some kind of 'big brother' auditing daemon...

The simple way to solve this problem (as has been hinted above) is to ensure that the wrong people cannot change files that they are not supposed to.

If you have to have multiple root users (and they should really be competent; maybe that isn't an option open to you!), I think I would ensure that there is no root login; everyone would login as their own user name and su to root only if necessary. You could log that and correlate that to any bad file chages.

While a nice little witch-hunt within the ranks can be quite
refreshing the objective is (should be?) to get the file back
into a working state. Finding who screwed it up won't necessarily
help with that. Neither will an audit daemon... a version
control system will - plus (as a bonus) you'll see WHO made
the change that caused problems on top of that.



Cheers,
Tink

For the witch hunting side, BSM auditing is a Solaris tool that can help:
http://docs.sun.com/app/docs/doc/816...28?l=en&a=view

But if you know who screwed up, you have a chance of finding out what they were doing and why. You can also stop them from doing bad things in future, which might be training or something else.

This doesn't really contradict my statement all that much.
It's all a matter of training (and processes), and a version
control system has clear advantages. As you said "you have
a chance". If that change was done 6 months ago, and it only
cropped up now because the machine/service only just got bounced
you're pretty much out of luck, and again, knowing who did it
won't help you at all. It's about a sensible process as far
as I am concerned.


Cheers,
Tink

I usually walk around the office saying:

"what bloody idiot screwed up that file?"