Auditing Linux Server

Posted on 2005-05-05
Last Modified: 2012-06-22
Hi everybody…]

             I have a linux samba server configured as PDC to which around 55-60 WinXP clients connect to it. And these users each have a network home directory in the samba server , which is stored in a seprate partition (opt1) .In some days this partition size varies suddenly depending on the  addition / deletion of data files  by the users to their home directories on this partition.. But we have no option to AUDIT or trace the usage of this partition on the server

           So I just want to know whether there is any utility/tool in linux so that we can audit the activities on the servers by all the users like, who has added the files/directories greater than 10GB, who has deleted files the previous day. etc….

           Please help me in this matter…  

Question by:mshajan
    LVL 16

    Accepted Solution

    here's something that I do:
    - I have a script that I run weekly (it's in /etc/cron.weekly), which checks the size of all home dirs, and emails me the results
    here it is:

    # report root is whereever you want the reports to be saved to

    cd $homeroot
    # output all homedirs plus their size, sorted by size, and save it with the date appended
    # (the .dsc is random, I associated that extension with my browser)
    du  --max-depth=1 | sort -nr > $reportroot/homedir_check_$(date +%m%d%Y).dsc
    # the report is owned by root by default, so I change that
    chown -R user1 $reportroot
    chmod -R u+rwx,g+rwx,o+rx $reportroot
    #mail the report results to 'root'
    mail -s "Home Directory stats: `date`" root < $reportroot/homedir_check_$(date +%m%d%Y).dsc

    I also email myself a weekly 'df -h', just to get a snapshot of the partitions and how things are going for space.
    If you wanted to actually pinpoint which files had been added, you could do that with the 'find' command, but at least this way I know who's home directory has been growing
    LVL 7

    Expert Comment


    There is unlikely to be any prefab tools or software packages which provide this functionality.  Auditing tends to be a very specific thing, and depends on what _you_ want to monitor.  I recommend you consult with someone who has a strong working knowledge of Samba and Perl.  Perl is the de facto scripting language used by SysAdmins for anything and everything on Linux; there are sometimes better methods than Perl for specific tasks, but there's very little (anything?) that can't be done in Perl.

    Author Comment


      Hi ,
              Can u just help me in creating a simple script with the following

              home directory = /opt1/samba/server/homes

        I need to check the file/directory sizes on weekly basis. and also would be nice if i can know who has done a major change to their home directory which results in major change in the size of the partition(opt1)...

    Author Comment


                     please tell me ,  is there any tool for auditing/monitoring user activities in linux....

    LVL 7

    Assisted Solution

    There is process accounting (psacct), but this has its roots in supercomputing where people are billed (or limited) in how much CPU time they're allowed to use (literally).

    There does not tend to be a lot of stuff for seeing _exactly_ what a user is doing, simply because this is far too much data to be manageable.

    For the script, I would recommend talking to someone who knows Perl.. they can probably whip something up that keeps a record of previous usage, and alerts you to sudden changes.  You could create a script that shows you _any_ change easily, but this wouldn't be too useful.  E.g.:

    umask 077
    mv -f /tmp/ /tmp/diskmonitor.old
    du -h --max-depth=1 /opt1/samba/server/homes > /tmp/
    diff -y --suppress-common-lines /tmp/diskmonitor.old /tmp/ | mail -s "Home directory usage changes" sysadmin[]

    Note: change /tmp to a useful directory.  This should run as root to be able to generate accurate file sizes.  This will overwrite anything existing.  There is a fraction of a moment during which a race condition can occur here, but it's negligible.  You could overcome it by touching a file, then doing an if check to make sure that file is owned by you, then writing to the file... but this is overkill.

    Again, this script will show you _any_ difference, and I didn't look to see if some versions of diff allow evaluating numeric values and only recognizing a difference greater than N (percent or numerical), which is what would make this more useful... but even using the above and feeding it thru a Perl script should be simple.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now