I was attempting to identify who had modified one of my script files. I used the stat command to identify when the modifications occurred:
[prodsrvr-PRODDB01] stat check_status.ksh File: `check_status.ksh' Size: 1117 Blocks: 8 IO Block: 4096 regular file Device: 17c0fc01h/398523393d Inode: 473 Links: 1 Access: (0644/-rw-r--r--) Uid: (24718/ oracle) Gid: (24718/ dba) Access: 2017-01-11 19:03:35.972217538 -0500 Modify: 2016-12-19 15:10:07.556675538 -0500 Change: 2016-12-19 15:10:07.000000000 -0500
The above indicates that the modification occurred on December 12, 2016 at 15:10.
I then issued the last command and grepped for Dec to see who was logged on at that date/time:
[prodsrvr-PRODDB01] last | grep -i Dec user01 pts/1 144.28.20.203 Tue Dec 20 19:18 - 19:33 (00:15) user02 pts/0 10.69.96.57 Tue Dec 20 19:10 - 22:22 (1+03:11) user03 pts/0 139.49.5.29 Mon Dec 19 15:06 - 21:41 (06:34) user05 pts/0 144.28.21.98 Mon Dec 19 11:54 - 13:20 (01:26)
This indicates a very strong possibility that user03 performed the modification. While not 100% accurate it is a reasonable way to narrow the list of users who may have made the modification.