顯示文件的歷史記錄（修改過文件的使用者清單）

如果您之前未啟用某種審核，則沒有工具可以在文件修改後報告此情況。您可以取得文件上次修改的日期和時間，但不能取得修訂記錄。

接下來，您可以安裝、設定、啟用該auditd套件。

從auditctl手冊頁：

-w path
    Insert  a  watch for the file system object at path. You cannot insert
    a watch to the top level directory. This is prohibited by the  kernel. 
    Wildcards  are not supported either and will generate a warning. The way
    that watches work is by tracking the inode internally. If you place a 
    watch on a file, its the same as  using  the  -F  path  option  on a 
    syscall rule. If you place a watch on a directory, its the same as using
    the -F dir option on a syscall rule.  The  -w form  of  writing watches 
    is for backwards compatibility and the syscall based form is more
    expressive. Unlike most syscall auditing rules,  watches  do  not impact
    performance  based on the number of rules sent to the kernel. The only 
    valid options when using a watch are the -p and -k. If you  need to     
    anything fancy like audit a specific user accessing a file, then use 
    the syscall auditing form with the path or dir fields.

問題中有更多關於此的討論記錄隱藏文件的創建

這裡討論如何使用 inotify 進行駭客攻擊，使其為您提供 PID 和 UID。 http://www.ioremap.net/node/55

另請參閱審計 http://andries.filmer.nl/kb/Monitoring-file-system-events-with-inotify,-incron-and-authctl/129#Audit