Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 804
  • Last Modified:

Determine who last modified a file on a Windows 2000 server or a Linux or Unix server

We had a problem occur last week where one on the critical files on our web server was changed and broke links on the main page.  I was able to fix the problem and determine when and where the problem occurred in the file, but I don’t know of any place in Windows 2000 server that would tell me who modified a file last.  One person I spoke to seems to think this is possible in either Unix or Linux, but others I spoke to say it is not.  They say you can only determine who had permissions to change the file, but not who actually changed it.  Do you know if this is correct?

This occurs occasionally and is not done by people with a lot of computer expertise so they typically would be doing this by accident, not intentionally, and the user would not be trying to hide what they did.  Unfortunately, no one seems to want to admit they caused the problem.  My interest is getting the problem narrowed down and getting the person some training so they don't do it again.  
0
ETC-Staff
Asked:
ETC-Staff
  • 3
  • 2
  • 2
  • +3
1 Solution
 
pjedmondCommented:
As always, it depends on the level of logging you allow! The more logging you configure, then the greater the amount of processing required by the logging process.

In reality, unless you are doing trouble shooting on a Windows machine, you can only see who has permissions to alter the file, and when it was altered.

A similar situation exists with the default samba (linux filesharing) log level, although this likewise can be increased to a level that you can see almost everything.

So in your case, chances are tht you can only see who had permissions to alter the files concerned (perhaps narrowed down slightly by looking at who had logged on in that time period).

If you need something to carry out the necessary logging, then the Enterprise Version of  Track For Win logs this information quite nicely:

http://www.track4win.com/ent/

(   (()
(`-' _\
 ''  ''



0
 
ETC-StaffAuthor Commented:
Would this also be true for Unix?  Is there any operating system that could be set up to trac these changes?
0
 
ETC-StaffAuthor Commented:
We are in the process of moving the web server to a new machine so the possibility of changing to another OS or web server exists.  Before I ask for money for a third pary product, I just need to be able to say for sure that we can't determine who modified a file by setting up features in the OS itself.  Is this correct for Unix, Linux, and Windows.  Is there any other OS that would do this?  
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
pjedmondCommented:
Absolutely - as mentioned track4win will do the tracking for windows.

With samba, on linux (any *nix), you can turn up the logging level on samba to 3 or above. *WARNING* this has a significant impact on performance. (Having said that, many  smaller companies don't get the processor use above 20% on their linux fileservers, so this may not be an issue?) See here for a little more info on samba logging:

http://www.oreilly.com/catalog/samba/chapter/book/ch04_08.html

Samba logging isn't that 'obvious' in that the file is not identified by name, but rather by number, but all the information is there to be able to trace the culprit.

(   (()
(`-' _\
 ''  ''
0
 
PsiCopCommented:
ETC-Staff,

You need to understand that unlike Windoze, which locks you into a specific technology, both Linux and most UNIX platforms support many different filesystems - for example, UFS, EXT2, EXT3, Reiser, NSS, JFS and many more. And it is the *filesystem* that determines the tracking capability. Sometimes, as we see with SAMBA, the access method can also be used. You also need to understand that there is not one "UNIX" - UNIX is a general OS design, not a singular operating system.

Beyond relying on filesystem or access method logging to keep track of who alters files when, you can also use an auditing tool. Some OSes include them, they are add-ons for others.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Windows can track these changes if you enable file auditing.
0
 
ETC-StaffAuthor Commented:
Thanks for all the comments.  I am just referring to the systems as unix and linux in the generic sense.  I do realize there are different versions of all of these,  I am not a network admin, but I can turn this over to our network admin to investigate.  I just want to be able to point him in the right direction.  The folks I have talked to so far have told me they think it can be done, but haven't done it themselves and can't be anymore specific than that.  We are considering changing platforms as we move the web server so I appreciate all the comments.   This is for a university so I am trying to keep the costs down as funds are very tight this year.  So purchasing any commercial add ons will need some pretty good justification.  I have tried to run this web server with minimum interference from me, but it has become very large and it is apparent we need some more control or to at least know what exactly is going on with some of the files.  We have quite a few "web maintainers" on the system.  For the most part, this has worked very well, but now we need to make some changes.

We are using Windows 2000 Server.  I only found "file auditing" mentioned once in the help when I did a search.  I didn't see how it is turned on.  Can you help me with that?  Thanks.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
0
 
engineer_dellCommented:
Hello ETC Staff

References for w2k auditing
http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
http://labmice.techtarget.com/troubleshooting/EventLog.htm
http://support.microsoft.com/?kbid=300549

Here you can find 3rd party free file integrity tools
http://www.honeypots.net/ids/integrity-management
http://www.networkintrusion.co.uk/integrity.htm
http://www.sysinternals.com/Utilities/Filemon.html
http://www.contactplus.com/products/freestuff/monidir.htm

I like GFI LANguard Security Event Log Monitor (S.E.L.M.) - performs event log based intrusion detection and network-wide event log management. Monitor users attempting to access secured shares and confidential files; Monitor critical servers and create alerts for specific events and conditions occurring on your network; Back up and clear event logs automatically on remote machines; Detect attacks using local user accounts
http://www.gfi.com/lanselm/

Regards,
Engineer_Dell
0
 
scrathcyboyCommented:
if you give windows, unix or linux users permissions to access the root of the C drive OR the OS folders, or the folder where the crucial file exists, then YES, and one of them could accidently corrupt ANY file in those folders where they have permissions to access.  You need to be more restrictive of permissions on the file server, not go on a long hunt.

Review all user permissions for ALL directories on the file server.  Do not allow root access for ordinary users, nor access to the windows or OS folders.  Limit their access to thier working directories, and keep ALL KEY system or crucial files inaccessible to ordinary users.  This is the RIGHT way to solve the problem.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now