inotify - 如何找出哪个用户修改了文件?
我正在寻找有关如何找出哪个用户修改了特定文件的指南。虽然 inotify 非常适合在触摸特定文件时收到通知,但我如何确定哪个用户修改了该文件?我可以考虑使用 lsof ,但我担心它可能不像我想要的那样“实时”和/或者它可能对资源造成太大的负担。我所说的实时是指,如果用户只是在文件上执行 touch 命令,那么当我在文件上运行 lsof 时,可能无法获取该命令。 >lsof。
I'm looking for guidance on how to find out which user has modified a particular file. While inotify is great to get notification when a particular file is touched, how do I figure out which user has modified that file? I can think of using lsof but I'm afraid that it may not be as "realtime" as I want and/or it might be too much of a tax on resources. By realtime, I mean that if a user simply executes a touch command on a file, by the time I run lsof on file, it may not be picked up by lsof.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可以使用审计守护进程:
选择要监控的文件
添加审计用于写入和属性更改(
-p wa):文件被某个用户触摸:
检查审核日志:
您可以在以下位置看到运行该命令的用户的
UID输出有关使用详细信息,请参阅 手册页 或此 示例指南。
You can use audit deamon:
Choose a file to monitor
Add audit for write and attribute change (
-p wa):The file is touched by some user:
Check audit logs:
You can see the
UIDof the user who run the command in the outputFor details of usage see man pages or this sample guide.
如果您在前面的命令中添加
-i选项,您将以更易于理解的格式获得输出。您将在服务器中将 uid 转换为真实用户名。If you add
-ioption in the earlier command, you will get output in more human readable format. You will get the uid converted to the real username in the server.