My original question was "how do I see who wrote a file last, not just
when."
Thanks to:
lrs_at_zk3.dec.com
Alan Davis
Allen Carpenter
Kurt Carlson
I take my hat off to lrs_at_zk3.dec.com for pointing out my error: audit in
fact logs whether a file is opened read only, or read-write. This solved my
problem as the ruid and euid are logged (see below).
Harold Gabel
MCI WorldCom Systems Administrator
----snip----
lrs_at_zk3.dec.com wrote:
The open audit record includes information on the open "mode" - read,
write, trunc, creat, sync, excl, append, ....
audit_id: 1124 ruid/euid: 1124/1124
pid: 4278 ppid: 4273 cttydev: (6,2)
event: open
char param: /etc/motd
flags: 1537 : write trunc creat
inode id: 7990 inode dev: (19,81) [regular file]
object mode: 0644
req mode: 0600
result: 3 (0x3)
ip address:
timestamp: Tue Jun 15 11:32:36.95 1999 EDT
1124:1124:1124 4278 0x3 open ( /etc/motd 0x601 0600
)
Received on Tue Jun 15 1999 - 21:32:54 NZST