how to detect a user who changed a particular file in Linux.

how to detect a user who changed a particular file in Linux.

[V.Ravikumar]

Hi all,

(Note : I'm writing this mail to this kernel group as I did not find any
suitable mechanism in application level for my below need).

If a  file modified by some user then how can we detect that user who
modified it.

Linux audit was not suitable for my need.

Can this be achieved through kernel driver/module.

Any other suggestions/help would be welcome.

Thanks in advance.

Regards,
Ravikumar.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110516/9580963e/attachment.html 

how to detect a user who changed a particular file in Linux.

[Neependra Khare]

On Mon, May 16, 2011 at 3:02 PM, V.Ravikumar
<ravikumar.vallabhu@gmail.com>wrote:

>
> If a  file modified by some user then how can we detect that user who
> modified it.
>

SystemTap can help you. Have a look at following examples:-
http://sourceware.org/systemtap/wiki/WSFileMonitor
http://sourceware.org/systemtap/wiki/WSFileMonitor2

-- 
Regards,
Neependra
www.neependra.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110516/61492c3a/attachment.html 

how to detect a user who changed a particular file in Linux.

[Greg KH]

On Mon, May 16, 2011 at 03:02:10PM +0530, V.Ravikumar wrote:
> 
> Hi all,
> 
> (Note : I'm writing this mail to this kernel group as I did not find any
> suitable mechanism in application level for my below need).
> 
> If a? file modified by some user then how can we detect that user who modified
> it.
> 
> Linux audit was not suitable for my need.

Why not?  It should have showed you this exactly.

how to detect a user who changed a particular file in Linux.

[V.Ravikumar]

On Mon, May 16, 2011 at 7:45 PM, Greg KH <greg@kroah.com> wrote:

> On Mon, May 16, 2011 at 03:02:10PM +0530, V.Ravikumar wrote:
> >
> > Hi all,
> >
> > (Note : I'm writing this mail to this kernel group as I did not find any
> > suitable mechanism in application level for my below need).
> >
> > If a  file modified by some user then how can we detect that user who
> modified
> > it.
> >
> > Linux audit was not suitable for my need.
>
> Why not?  It should have showed you this exactly.
>
>
For my need, I have to asynchronously notify  if a given file was modified
by some user using some program.

As per my understanding for audit , one has to update system specific audit
configuration files(say using some auditd related command line tools) with
given  file and it is not suitable for my requirement.

Is there any other ways apart from using SystemTap and auditd command line
tools.

Thanks for all your suggestions so far.

Regards,
Ravikumar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110517/8b751173/attachment.html 

how to detect a user who changed a particular file in Linux.

[Nuno Martins]

On Tue, May 17, 2011 at 11:31 AM, V.Ravikumar
<ravikumar.vallabhu@gmail.com> wrote:
>
>
> On Mon, May 16, 2011 at 7:45 PM, Greg KH <greg@kroah.com> wrote:
>>
>> On Mon, May 16, 2011 at 03:02:10PM +0530, V.Ravikumar wrote:
>> >
>> > Hi all,
>> >
>> > (Note : I'm writing this mail to this kernel group as I did not find any
>> > suitable mechanism in application level for my below need).
>> >
>> > If a? file modified by some user then how can we detect that user who modified
>> > it.
>> >
>> > Linux audit was not suitable for my need.
>>
>> Why not? ?It should have showed you this exactly.
>>
>
> For my need, I have to asynchronously notify? if a given file was modified by some user using some program.
>
> As per my understanding for audit , one has to update system specific audit configuration files(say using some auditd related command line tools) with given? file and it is not suitable for my requirement.
>
> Is there any other ways apart from using SystemTap and auditd command line tools.
>
> Thanks for all your suggestions so far.

Have you considered using KProbes or tracepoints ?
For KProbes you do write some kernel module to monitor the function
you want. You have to be carefull not to try to monitor inlined
functions.
You could try to combine the use of KProbes with KThreads or
usermode-helper process.

It is just a thought.


>
> Regards,
> Ravikumar
>
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
--
Nuno Martins