是否有命令可以显示修改了文件的用户列表并提供文件历史记录?
我知道这可以通过 svn/git 等实现。但是我们有一个 SVN 中没有的配置文件,并且有人修改了它。
答案1
如果您之前未启用某种审核,则没有工具可以在文件修改后报告此情况。您可以获取文件上次修改的日期和时间,但不能获取修订历史记录。
接下来,您可以安装、设置、启用该auditd
包。
从auditctl
手册页:
-w path
Insert a watch for the file system object at path. You cannot insert
a watch to the top level directory. This is prohibited by the kernel.
Wildcards are not supported either and will generate a warning. The way
that watches work is by tracking the inode internally. If you place a
watch on a file, its the same as using the -F path option on a
syscall rule. If you place a watch on a directory, its the same as using
the -F dir option on a syscall rule. The -w form of writing watches
is for backwards compatibility and the syscall based form is more
expressive. Unlike most syscall auditing rules, watches do not impact
performance based on the number of rules sent to the kernel. The only
valid options when using a watch are the -p and -k. If you need to
anything fancy like audit a specific user accessing a file, then use
the syscall auditing form with the path or dir fields.
问题中有更多关于此的讨论记录隐藏文件的创建
答案2
这里讨论如何使用 inotify 进行黑客攻击,使其为您提供 PID 和 UID。 http://www.ioremap.net/node/55
另请参阅审计 http://andries.filmer.nl/kb/Monitoring-file-system-events-with-inotify,-incron-and-authctl/129#Audit