I need to know the full history of a file, like if someone changed or moved it to some other places since the time when it is created.
Linux – How to find the full history of a file
auditfileslinux
auditfileslinux
I need to know the full history of a file, like if someone changed or moved it to some other places since the time when it is created.
Best Answer
In general, you can't. The metadata guaranteed to be stored is always that of the latest revision, and any other metadata could be overwritten at any moment.
If your environment is potentially hostile, consider using an the kernel audit subsystem to audit and log the
rename()andwrite()syscalls. This is fairly unwieldy, however, because you will log extreme volumes of data that you probably don't care about. You could also limit your auditing to a subset of files which you care about, if you like.If this is mostly for revision, consider using a version control system, like Git. This allows users to keep tabs on file states effectively through time, and is much more user friendly than navigating backwards through an audit log. It can do all the things you asked for, and much more.