Answers:
如果您以前未启用某种审核,则没有工具可以在修改文件后报告此情况。您可以获取上次修改文件的日期和时间,而不是修订历史记录。
继续,您可以安装,设置,启用该auditd软件包。
从auditctl手册页:
-w path
Insert a watch for the file system object at path. You cannot insert
a watch to the top level directory. This is prohibited by the kernel.
Wildcards are not supported either and will generate a warning. The way
that watches work is by tracking the inode internally. If you place a
watch on a file, its the same as using the -F path option on a
syscall rule. If you place a watch on a directory, its the same as using
the -F dir option on a syscall rule. The -w form of writing watches
is for backwards compatibility and the syscall based form is more
expressive. Unlike most syscall auditing rules, watches do not impact
performance based on the number of rules sent to the kernel. The only
valid options when using a watch are the -p and -k. If you need to
anything fancy like audit a specific user accessing a file, then use
the syscall auditing form with the path or dir fields.
关于记录隐藏文件的创建问题中有关于此的更多讨论
在这里,有一些关于用inotify进行黑客攻击的讨论,以使其能够为您提供PID和UID。 http://www.ioremap.net/node/55
另请参阅审核 http://andries.filmer.nl/kb/Monitoring-file-system-events-with-inotify,-incron-and-authctl/129#Audit