Inotify - How to Find Out Which User Has Modified File

inotify - how to find out which user has modified file?

You can use audit deamon:

sudo apt-get install auditd

Choose a file to monitor

touch /tmp/myfile

Add audit for write and attribute change (-p wa):

sudo auditctl -w /tmp/myfile -p wa -k my-file-changed

The file is touched by some user:

touch /tmp/myfile

Check audit logs:

sudo ausearch -k my-file-changed | tail -1

You can see the UID of the user who run the command in the output

type=SYSCALL msg=audit(1313055675.066:57): arch=c000003e syscall=2
success=yes exit=3 a0=7ffffb6744dd a1=941 a2=1b6 a3=7ffffb673bb0
items=1 ppid=3428 pid=4793 auid=4294967295 uid=1000 gid=1000 euid=1000
suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1
ses=4294967295 comm="touch" exe="/bin/touch" key="my-file-changed"

For details of usage see man pages or this sample guide.

Any ways to show file changes (with pyinotify for example)?

The inotify mechanism does not embed the deltas in the event, because it should compute it before saving the files and this could affect performance since this information is not usually needed.

You could use an approach like:

  • Read the data from file.txt and store it in a variable (or another file if persistence is needed).

  • Listen for change events using pyinotify or watchdog.

  • When the event is fired use difflib to check the deltas from the previous snapshot that you stored and the current file data.

How do I make my program watch for file modification in C++?

There are several ways to do this depending on the platform. I would choose from the following choices:

Cross Platform

Trolltech's Qt has an object called QFileSystemWatcher which allows you to monitor files and directories. I'm sure there are other cross platform frameworks that give you this sort of capability too, but this one works fairly well in my experience.

Windows (Win32)

There is a Win32 api called FindFirstChangeNotification which does the job. There is a nice article which a small wrapper class for the api called How to get a notification if change occurs in a specified directory which will get you started.

Windows (.NET Framework)

If you are ok using C++/CLI with the .NET Framework then
System.IO.FileSystemWatcher is your class of choice. Microsoft has a nice article on
how to monitor file system changes using this class.

OS X

The FSEvents API is new for OS X 10.5 and very full-featured.

Linux

Use inotify as Alex mentioned in his answer.

How to find modified files in Python

There are several ways to detect changes in files. Some are easier to
fool than others. It doesn't sound like this is a security issue; more
like good faith is assumed, and you just need to detect changes without
having to outwit an adversary.

You can look at timestamps. If files are not renamed, this is a good way
to detect changes. If they are renamed, timestamps alone wouldn't
suffice to reliably tell one file from another. os.stat will tell you
the time a file was last modified.

You can look at inodes, e.g., ls -li. A file's inode number may change
if changes involve creating a new file and removing the old one; this is
how emacs typically changes files, for example. Try changing a file
with the standard tool your organization uses, and compare inodes before
and after; but bear in mind that even if it doesn't change this time, it
might change under some circumstances. os.stat will tell you inode
numbers.

You can look at the content of the files. cksum computes a small CRC
checksum on a file; it's easy to beat if someone wants to. Programs such
as sha256sum compute a secure hash; it's infeasible to change a file
without changing such a hash. This can be slow if the files are large.
The hashlib module will compute several kinds of secure hashes.

If a file is renamed and changed, and its inode number changes, it would
be potentially very difficult to match it up with the file it used to
be, unless the data in the file contains some kind of immutable and
unique identifier.

Think about concurrency. Is it possible that someone will be changing a
file while the program runs? Beware of race conditions.


Related Topics

Position of a String Within a String Using Linux Shell Script

"Make" Command for Windows - Possible Options

Accessing a Cygwin Symlink from Windows

How to Do Foreach *.Mp3 File Recursively in a Bash Script

Bash Join Command

Is There Any Shortcut to Reference the Path of the First Argument in a Mv Command

Any Porting Available of Backtrace for Uclibc

What Does -Prune Option in Find Do

How to Give Highest Priority to Ethernet Interrupt in Linux

Openssl Encoding Errors While Converting Cer to Pem

How to Store the Output of a Git Command in a Variable

Fallocate() Command Equivalent in Os X

How to Return Spawned Process Exit Code in Expect Script

What Is the Use of File Descriptor 255 in Bash Process

How to View and Edit the Ephemeral Port Range on Linux

Xampp: Another Web Server Daemon Is Already Running

How to Check If Ssh-Agent Is Already Running in Bash

Linux Script That Monitors File Changes Within Folders (Like Autospec Does!)


Leave a reply



Submit