1

I want to get the username who modified a file in watched directory in LINUX operating system (UBUNTU).

I am getting notification of modified file in watched directory through inotify, but I didn't get username who modified.

I used auditctl for adding same watch directory path which is added in the inotify and getting information using ausearch

But I am getting whole information about file which is modified in watched directory which is totally not my use.

I want username specifically who recently modified that file which is in the watch directory.

I refer https://github.com/linux-audit/audit-testsuite this for installing and using auditctl.

My main task is to get username who last modified a particular file, how can I do this?

Marco Bonelli
  • 63,369
  • 21
  • 118
  • 128
Anup Agrawal
  • 75
  • 4
  • 1
    There is a race condition, but you could `lsof thefile` right after you receive from `inotify` that the file is opened/modified. But if the file is opened by multiple users, you wouldn't know who from them modified it. – KamilCuk Nov 26 '19 at 16:00
  • Per the comments, this is a duplicate of the linked question. – Andrew Henle Nov 27 '19 at 12:47

1 Answers1

2

There is no way to do what you ask in C. Everything you can know about a file can be retrieved through the stat syscall. This does not include any information about which user or group lastly modified the file, since it is something that is simply not tracked by the system, not even with SELinux enabled.

Marco Bonelli
  • 63,369
  • 21
  • 118
  • 128
  • Auditing - if configured properly - will definitely record the opening and modification of the file, including the user. It won't do that in real-time, however, and only privileged users would have access to the audit data. – Andrew Henle Nov 26 '19 at 16:22
  • yes , you are right . But it gives extra non-required info using "ausearch" command . If you modified a file then it gives info of file and also gives .swp , .swx of that file. So , i can't get specific section which having that specific file info – Anup Agrawal Nov 26 '19 at 16:24
  • 1
    @AndrewHenle OP tagged this question as C and is talking about specific syscalls. There is no way to do what OP asks for with a simple C program, that's what I meant. – Marco Bonelli Nov 26 '19 at 16:32
  • @MarcoBonelli That's a fair assessment of the question. I wonder exactly what problems the OP is having extracting the username from audit data, though. – Andrew Henle Nov 26 '19 at 16:36
  • @AndrewHenle inotify – how to find out which user has modified file – Anup Agrawal Nov 27 '19 at 10:00
  • @MarcoBonelli inotify – how to find out which user has modified file – Anup Agrawal Nov 27 '19 at 10:01
  • @AnupAgrawal You can't. – Andrew Henle Nov 27 '19 at 12:48