AIDE won't tell you who, or what exactly the change was, but you'll know a change took place.
This is kind of basic, but do you have something like this set in sudo? Defaults syslog="auth", mailto="nslinuxsupp...@fedins.com", mail_always We have a remote syslog server, so every sudo'd command is recorded somewhere else as well as mailed as it happened. But unless you really tune sudo to limit certain commands, someone nefarious could still cover their tracks locally after getting root authority via sudo. You'd still have the initial sudo commands logged remotely so you'd have a record of how they got started. Jon -----Original Message----- From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Leland Lucius Sent: Thursday, March 13, 2014 7:35 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: Linux file updates by timestamp and userid On 3/13/2014 5:32 PM, Shan, Rita wrote: > Could anyone kindly provide information on how we can monitor/log zLinux file > updates by timestamp and by user ID? We have a number of staff maintaining > zLinux system all with sudo privilege, we need to have a way to track file > updates by date/time/user-ID. > > Does AIDE provides these kind of detailed level information? What kind of > overhead it will generate if we turned it on? Is there an inexpensive vendor > tool for this? You can use the "audit" package for this. Note that once the user sudos to root, then root will be the one logged as modifying the file. However, sudo usage is also logged, so you might be able to correlate the two events somehow. Leland ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/ ________________________________ The information contained in this e-mail message is intended only for the personal and confidential use of the designated recipient(s) named above. This message may be an attorney-client or work product communication which is privileged and confidential. It may also contain protected health information that is protected by federal law. If you have received this communication in error, please notify us immediately by telephone and destroy (shred) the original message and all attachments. Any review, dissemination, distribution or copying of this message by any person other than the intended recipient(s) or their authorized agents is strictly prohibited. Thank you. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/