I'm looking for guidance on how to find out which user has modified a particular file. While inotify is great to get notification when a particular file is touched, how do I figure out which user has modified that file? I can think of using lsof but I'm afraid that it may not be as "realtime" as I want and/or it might be too much of a tax on resources. By realtime, I mean that if a user simply executes a touch command on a file, by the time I run lsof on file, it may not be picked up by lsof.
You can use audit deamon:
sudo apt-get install auditd
Choose a file to monitor
touch /tmp/myfile
Add audit for write and attribute change (-p wa):
sudo auditctl -w /tmp/myfile -p wa -k my-file-changed
The file is touched by some user:
touch /tmp/myfile
Check audit logs:
sudo ausearch -k my-file-changed | tail -1
You can see the UID of the user who run the command in the output
type=SYSCALL msg=audit(1313055675.066:57): arch=c000003e syscall=2 success=yes exit=3 a0=7ffffb6744dd a1=941 a2=1b6 a3=7ffffb673bb0 items=1 ppid=3428 pid=4793 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="touch" exe="/bin/touch" key="my-file-changed"
For details of usage see man pages or this sample guide.