How to Determine the Last User Who Modified a File in Linux (RHEL)


1 views

html

In Linux systems, particularly RHEL, you can check the last modifying user through several methods. The most straightforward approach is using the stat command combined with file ownership information.

# Basic file status information
stat filename.txt

# Output will show modification time but not user
  File: filename.txt
  Size: 4096       Blocks: 8          IO Block: 4096   regular file
  Device: fd00h/64768d    Inode: 1835011     Links: 1
  Access: 2023-05-15 14:30:22.000000000 -0400
  Modify: 2023-05-15 14:30:22.000000000 -0400
  Change: 2023-05-15 14:30:22.000000000 -0400

For comprehensive user tracking, enable the auditd service:

# Install auditd if not present
sudo yum install audit

# Start and enable the service
sudo systemctl start auditd
sudo systemctl enable auditd

# Add a watch rule for specific files
sudo auditctl -w /path/to/file -p wa -k file-modifications

# Check audit logs
sudo ausearch -k file-modifications | tail -20

When auditd isn't available, check ownership changes which often coincide with modifications:

# Find files modified in last 24 hours with owner info
find /path/to/dir -type f -mtime -1 -exec ls -l {} \;

# Sample output showing owner (user1) and modification time
-rw-r--r-- 1 user1 group1 1024 May 15 14:30 /path/to/file

For critical files, consider implementing inotifywait monitoring:

# Install inotify-tools
sudo yum install inotify-tools

# Monitor a directory for changes
inotifywait -m /path/to/watch -e modify -e attrib -e move -e create -e delete --format '%T %e %f %u' --timefmt '%F %T' | while read line
do
    echo "$(date '+%F %T') - $line" >> /var/log/file_changes.log
done

Remember these key points:

  • Standard Linux file systems don't natively track modification users
  • Auditd adds overhead but provides comprehensive logging
  • Ownership changes don't always mean content modification
  • For compliance requirements, implement proper auditing early

In Linux systems, particularly RHEL (Red Hat Enterprise Linux), you can determine the last user who modified a file using several methods. The most straightforward approach is to examine the file's metadata and system logs.

The stat command displays detailed file information, including timestamps:

stat filename

Example output:


File: filename
Size: 4096 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 262145 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1000/ username) Gid: ( 1000/ username)
Access: 2023-05-15 14:30:22.123456789 +0000
Modify: 2023-05-15 14:35:18.987654321 +0000
Change: 2023-05-15 14:35:18.987654321 +0000

For more comprehensive tracking, you can use the Linux audit daemon (auditd):


# Install auditd if not present
sudo yum install audit

# Add a watch rule for specific file
sudo auditctl -w /path/to/file -p wa -k file_modifications

# Search the audit logs
sudo ausearch -k file_modifications | tail -20

System logs might contain information about file modifications:


grep filename /var/log/messages
grep filename /var/log/secure

For real-time monitoring, consider inotify tools:


# Install inotify-tools
sudo yum install inotify-tools

# Monitor a file for changes
inotifywait -m -e modify /path/to/file

Here's a simple bash script to track file modifications:


#!/bin/bash
FILE="/path/to/file"
LAST_MOD=$(stat -c %y "$FILE")
LAST_USER=$(ls -l "$FILE" | awk '{print $3}')
echo "File $FILE was last modified at $LAST_MOD by user $LAST_USER"

For enterprise environments, consider:

  • SELinux context tracking
  • Commercial solutions like Splunk or ELK stack
  • Version control systems (Git, SVN) for critical files