From mboxrd@z Thu Jan 1 00:00:00 1970 From: nuno.m.g.martins@gmail.com (Nuno Martins) Date: Tue, 17 May 2011 12:05:32 +0100 Subject: how to detect a user who changed a particular file in Linux. In-Reply-To: References: <20110516141545.GA30802@kroah.com> Message-ID: To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org On Tue, May 17, 2011 at 11:31 AM, V.Ravikumar wrote: > > > On Mon, May 16, 2011 at 7:45 PM, Greg KH wrote: >> >> On Mon, May 16, 2011 at 03:02:10PM +0530, V.Ravikumar wrote: >> > >> > Hi all, >> > >> > (Note : I'm writing this mail to this kernel group as I did not find any >> > suitable mechanism in application level for my below need). >> > >> > If a? file modified by some user then how can we detect that user who modified >> > it. >> > >> > Linux audit was not suitable for my need. >> >> Why not? ?It should have showed you this exactly. >> > > For my need, I have to asynchronously notify? if a given file was modified by some user using some program. > > As per my understanding for audit , one has to update system specific audit configuration files(say using some auditd related command line tools) with given? file and it is not suitable for my requirement. > > Is there any other ways apart from using SystemTap and auditd command line tools. > > Thanks for all your suggestions so far. Have you considered using KProbes or tracepoints ? For KProbes you do write some kernel module to monitor the function you want. You have to be carefull not to try to monitor inlined functions. You could try to combine the use of KProbes with KThreads or usermode-helper process. It is just a thought. > > Regards, > Ravikumar > > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies at kernelnewbies.org > http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > -- Nuno Martins