How to find out who has modified/edited a file?

[thomas2004ch]

Background:

I use RadHat Linu5.

We usually log in to LINUX via putty (remote). Very often many people use the same user and password to log in.

My question:
I wonder how to tell who has edited/modified a file?

Any idea?

Thomas

[RayAID]

Wooooo...Wooooo.....Woooo Warning Will Robinson!!

Security alert!

NEVER use shared credentials!!!

If everyone uses the same credentials you'll never know who edited the file!

[Irithori]

In that scenario: No way to tell.

Kill all accounts,
set up them up from scratch
and make it *very* clear, that each one has to take responsibility what happens with his/her account credentials and also the actions done with his/her account.

[thomas2004ch]

Wooooo...Wooooo.....Woooo Warning Will Robinson!!

Security alert!

NEVER use shared credentials!!!

If everyone uses the same credentials you'll never know who edited the file!

It's pity that is the situation in our company. For example by the production machine. More than one colleague share the same account. This will not be changed.So I am going to find a solution.

Someone told me that I can CAT the /var/log/secure file. I've tried but just can find what time from which IP is log in.

[thomas2004ch]

In that scenario: No way to tell.

Kill all accounts,
set up them up from scratch
and make it *very* clear, that each one has to take responsibility what happens with his/her account credentials and also the actions done with his/her account.

Assumed every body uses his own account, how can I know who has modified a file?

[Irithori]

No.
You *need* to fight this through.
But at least logic and common sense is on your side

If
business/managements want to have the responsibilty and accountability for the users´ actions on the servers (why do they have a shell in the first place?)
then
each user needs to have his/her own account.


If
business/managements wants to have shared accounts
then
fine. It is their decision. But the consequence is, that responsibilty and accountability is not given.


There is no magic. Just consequences.
So I would suggest you set up a meeting with your manager and explain the options.
In any case, *document* the outcome, so that you keep your hands clean.


FYI:
In other, especially bigger companies, it is quite common to force the users to change their passwords every few weeks.
For the sole reason to keep the account connected to a specific person.

(Even if a password is leaked to another person, the impact is at least limited to a certain time.)

[Irithori]

Assumed every body uses his own account, how can I know who has modified a file?

You have the login time of the user,
you have the modified time of a file.
you know in which groups he/she is.

If the user created or deleted/recreated a file, it will have his/her user as owner.

As a last resort, you -as the responsible person for the system and in your role as systemadminsitrator- could take a look at the user´s history file.
But beware, this may even have legal impact

If there is need for more detailed information:
- who did
- exactly what changes
- to which files
- when?
then I would suggest to use a revision control system like subversion or git.

[Irithori]

Just re-read your post.
Shell logins for users on production machines?

In my company, this would be unthinkable.
*Only* OPS (operations) has access to production.
No exceptions.
Development and QA can view centralized logs via a website, but that´s it.

[thomas2004ch]

No.
You *need* to fight this through.
But at least logic and common sense is on your side

...

Wonderful! I will let our manager to read your post.

[Irithori]

sure.
Not the first time I deal with management