Auditing Linux Server

Hi everybody…]

             I have a linux samba server configured as PDC to which around 55-60 WinXP clients connect to it. And these users each have a network home directory in the samba server , which is stored in a seprate partition (opt1) .In some days this partition size varies suddenly depending on the  addition / deletion of data files  by the users to their home directories on this partition.. But we have no option to AUDIT or trace the usage of this partition on the server

           So I just want to know whether there is any utility/tool in linux so that we can audit the activities on the servers by all the users like, who has added the files/directories greater than 10GB, who has deleted files the previous day. etc….

           Please help me in this matter…  

Who is Participating?
here's something that I do:
- I have a script that I run weekly (it's in /etc/cron.weekly), which checks the size of all home dirs, and emails me the results
here it is:

# report root is whereever you want the reports to be saved to

cd $homeroot
# output all homedirs plus their size, sorted by size, and save it with the date appended
# (the .dsc is random, I associated that extension with my browser)
du  --max-depth=1 | sort -nr > $reportroot/homedir_check_$(date +%m%d%Y).dsc
# the report is owned by root by default, so I change that
chown -R user1 $reportroot
chmod -R u+rwx,g+rwx,o+rx $reportroot
#mail the report results to 'root'
mail -s "Home Directory stats: `date`" root < $reportroot/homedir_check_$(date +%m%d%Y).dsc

I also email myself a weekly 'df -h', just to get a snapshot of the partitions and how things are going for space.
If you wanted to actually pinpoint which files had been added, you could do that with the 'find' command, but at least this way I know who's home directory has been growing

There is unlikely to be any prefab tools or software packages which provide this functionality.  Auditing tends to be a very specific thing, and depends on what _you_ want to monitor.  I recommend you consult with someone who has a strong working knowledge of Samba and Perl.  Perl is the de facto scripting language used by SysAdmins for anything and everything on Linux; there are sometimes better methods than Perl for specific tasks, but there's very little (anything?) that can't be done in Perl.
mshajanAuthor Commented:

  Hi ,
          Can u just help me in creating a simple script with the following

          home directory = /opt1/samba/server/homes

    I need to check the file/directory sizes on weekly basis. and also would be nice if i can know who has done a major change to their home directory which results in major change in the size of the partition(opt1)...
mshajanAuthor Commented:

                 please tell me ,  is there any tool for auditing/monitoring user activities in linux....

There is process accounting (psacct), but this has its roots in supercomputing where people are billed (or limited) in how much CPU time they're allowed to use (literally).

There does not tend to be a lot of stuff for seeing _exactly_ what a user is doing, simply because this is far too much data to be manageable.

For the script, I would recommend talking to someone who knows Perl.. they can probably whip something up that keeps a record of previous usage, and alerts you to sudden changes.  You could create a script that shows you _any_ change easily, but this wouldn't be too useful.  E.g.:

umask 077
mv -f /tmp/ /tmp/diskmonitor.old
du -h --max-depth=1 /opt1/samba/server/homes > /tmp/
diff -y --suppress-common-lines /tmp/diskmonitor.old /tmp/ | mail -s "Home directory usage changes" sysadmin[]

Note: change /tmp to a useful directory.  This should run as root to be able to generate accurate file sizes.  This will overwrite anything existing.  There is a fraction of a moment during which a race condition can occur here, but it's negligible.  You could overcome it by touching a file, then doing an if check to make sure that file is owned by you, then writing to the file... but this is overkill.

Again, this script will show you _any_ difference, and I didn't look to see if some versions of diff allow evaluating numeric values and only recognizing a difference greater than N (percent or numerical), which is what would make this more useful... but even using the above and feeding it thru a Perl script should be simple.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.