Auditing Linux Server

Posted on 2005-05-05
Medium Priority
Last Modified: 2012-06-22
Hi everybody…]

             I have a linux samba server configured as PDC to which around 55-60 WinXP clients connect to it. And these users each have a network home directory in the samba server , which is stored in a seprate partition (opt1) .In some days this partition size varies suddenly depending on the  addition / deletion of data files  by the users to their home directories on this partition.. But we have no option to AUDIT or trace the usage of this partition on the server

           So I just want to know whether there is any utility/tool in linux so that we can audit the activities on the servers by all the users like, who has added the files/directories greater than 10GB, who has deleted files the previous day. etc….

           Please help me in this matter…  

Question by:mshajan
  • 2
  • 2
LVL 16

Accepted Solution

JammyPak earned 112 total points
ID: 13936052
here's something that I do:
- I have a script that I run weekly (it's in /etc/cron.weekly), which checks the size of all home dirs, and emails me the results
here it is:

# report root is whereever you want the reports to be saved to

cd $homeroot
# output all homedirs plus their size, sorted by size, and save it with the date appended
# (the .dsc is random, I associated that extension with my browser)
du  --max-depth=1 | sort -nr > $reportroot/homedir_check_$(date +%m%d%Y).dsc
# the report is owned by root by default, so I change that
chown -R user1 $reportroot
chmod -R u+rwx,g+rwx,o+rx $reportroot
#mail the report results to 'root'
mail -s "Home Directory stats: `date`" root < $reportroot/homedir_check_$(date +%m%d%Y).dsc

I also email myself a weekly 'df -h', just to get a snapshot of the partitions and how things are going for space.
If you wanted to actually pinpoint which files had been added, you could do that with the 'find' command, but at least this way I know who's home directory has been growing

Expert Comment

ID: 13941712

There is unlikely to be any prefab tools or software packages which provide this functionality.  Auditing tends to be a very specific thing, and depends on what _you_ want to monitor.  I recommend you consult with someone who has a strong working knowledge of Samba and Perl.  Perl is the de facto scripting language used by SysAdmins for anything and everything on Linux; there are sometimes better methods than Perl for specific tasks, but there's very little (anything?) that can't be done in Perl.

Author Comment

ID: 13949671

  Hi ,
          Can u just help me in creating a simple script with the following

          home directory = /opt1/samba/server/homes

    I need to check the file/directory sizes on weekly basis. and also would be nice if i can know who has done a major change to their home directory which results in major change in the size of the partition(opt1)...

Author Comment

ID: 13950518

                 please tell me ,  is there any tool for auditing/monitoring user activities in linux....


Assisted Solution

macker- earned 108 total points
ID: 14031398
There is process accounting (psacct), but this has its roots in supercomputing where people are billed (or limited) in how much CPU time they're allowed to use (literally).

There does not tend to be a lot of stuff for seeing _exactly_ what a user is doing, simply because this is far too much data to be manageable.

For the script, I would recommend talking to someone who knows Perl.. they can probably whip something up that keeps a record of previous usage, and alerts you to sudden changes.  You could create a script that shows you _any_ change easily, but this wouldn't be too useful.  E.g.:

umask 077
mv -f /tmp/diskmonitor.today /tmp/diskmonitor.old
du -h --max-depth=1 /opt1/samba/server/homes > /tmp/diskmonitor.today
diff -y --suppress-common-lines /tmp/diskmonitor.old /tmp/diskmonitor.today | mail -s "Home directory usage changes" sysadmin[@remote-host.com]

Note: change /tmp to a useful directory.  This should run as root to be able to generate accurate file sizes.  This will overwrite anything existing.  There is a fraction of a moment during which a race condition can occur here, but it's negligible.  You could overcome it by touching a file, then doing an if check to make sure that file is owned by you, then writing to the file... but this is overkill.

Again, this script will show you _any_ difference, and I didn't look to see if some versions of diff allow evaluating numeric values and only recognizing a difference greater than N (percent or numerical), which is what would make this more useful... but even using the above and feeding it thru a Perl script should be simple.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can use conditional statements using Python.
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month16 days, 12 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question