Solved

Determine who last modified a file on a Windows 2000 server or a Linux or Unix server

Posted on 2006-06-24
13
791 Views
Last Modified: 2013-11-15
We had a problem occur last week where one on the critical files on our web server was changed and broke links on the main page.  I was able to fix the problem and determine when and where the problem occurred in the file, but I don’t know of any place in Windows 2000 server that would tell me who modified a file last.  One person I spoke to seems to think this is possible in either Unix or Linux, but others I spoke to say it is not.  They say you can only determine who had permissions to change the file, but not who actually changed it.  Do you know if this is correct?

This occurs occasionally and is not done by people with a lot of computer expertise so they typically would be doing this by accident, not intentionally, and the user would not be trying to hide what they did.  Unfortunately, no one seems to want to admit they caused the problem.  My interest is getting the problem narrowed down and getting the person some training so they don't do it again.  
0
Comment
Question by:ETC-Staff
  • 3
  • 2
  • 2
  • +3
13 Comments
 
LVL 22

Accepted Solution

by:
pjedmond earned 500 total points
ID: 16975745
As always, it depends on the level of logging you allow! The more logging you configure, then the greater the amount of processing required by the logging process.

In reality, unless you are doing trouble shooting on a Windows machine, you can only see who has permissions to alter the file, and when it was altered.

A similar situation exists with the default samba (linux filesharing) log level, although this likewise can be increased to a level that you can see almost everything.

So in your case, chances are tht you can only see who had permissions to alter the files concerned (perhaps narrowed down slightly by looking at who had logged on in that time period).

If you need something to carry out the necessary logging, then the Enterprise Version of  Track For Win logs this information quite nicely:

http://www.track4win.com/ent/

(   (()
(`-' _\
 ''  ''



0
 
LVL 4

Author Comment

by:ETC-Staff
ID: 16975772
Would this also be true for Unix?  Is there any operating system that could be set up to trac these changes?
0
 
LVL 4

Author Comment

by:ETC-Staff
ID: 16975845
We are in the process of moving the web server to a new machine so the possibility of changing to another OS or web server exists.  Before I ask for money for a third pary product, I just need to be able to say for sure that we can't determine who modified a file by setting up features in the OS itself.  Is this correct for Unix, Linux, and Windows.  Is there any other OS that would do this?  
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16975865
Absolutely - as mentioned track4win will do the tracking for windows.

With samba, on linux (any *nix), you can turn up the logging level on samba to 3 or above. *WARNING* this has a significant impact on performance. (Having said that, many  smaller companies don't get the processor use above 20% on their linux fileservers, so this may not be an issue?) See here for a little more info on samba logging:

http://www.oreilly.com/catalog/samba/chapter/book/ch04_08.html

Samba logging isn't that 'obvious' in that the file is not identified by name, but rather by number, but all the information is there to be able to trace the culprit.

(   (()
(`-' _\
 ''  ''
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 16975952
ETC-Staff,

You need to understand that unlike Windoze, which locks you into a specific technology, both Linux and most UNIX platforms support many different filesystems - for example, UFS, EXT2, EXT3, Reiser, NSS, JFS and many more. And it is the *filesystem* that determines the tracking capability. Sometimes, as we see with SAMBA, the access method can also be used. You also need to understand that there is not one "UNIX" - UNIX is a general OS design, not a singular operating system.

Beyond relying on filesystem or access method logging to keep track of who alters files when, you can also use an auditing tool. Some OSes include them, they are add-ons for others.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16976093
Windows can track these changes if you enable file auditing.
0
 
LVL 4

Author Comment

by:ETC-Staff
ID: 16976323
Thanks for all the comments.  I am just referring to the systems as unix and linux in the generic sense.  I do realize there are different versions of all of these,  I am not a network admin, but I can turn this over to our network admin to investigate.  I just want to be able to point him in the right direction.  The folks I have talked to so far have told me they think it can be done, but haven't done it themselves and can't be anymore specific than that.  We are considering changing platforms as we move the web server so I appreciate all the comments.   This is for a university so I am trying to keep the costs down as funds are very tight this year.  So purchasing any commercial add ons will need some pretty good justification.  I have tried to run this web server with minimum interference from me, but it has become very large and it is apparent we need some more control or to at least know what exactly is going on with some of the files.  We have quite a few "web maintainers" on the system.  For the most part, this has worked very well, but now we need to make some changes.

We are using Windows 2000 Server.  I only found "file auditing" mentioned once in the help when I did a search.  I didn't see how it is turned on.  Can you help me with that?  Thanks.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16976328
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16976538
Hello ETC Staff

References for w2k auditing
http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
http://labmice.techtarget.com/troubleshooting/EventLog.htm
http://support.microsoft.com/?kbid=300549

Here you can find 3rd party free file integrity tools
http://www.honeypots.net/ids/integrity-management
http://www.networkintrusion.co.uk/integrity.htm
http://www.sysinternals.com/Utilities/Filemon.html
http://www.contactplus.com/products/freestuff/monidir.htm

I like GFI LANguard Security Event Log Monitor (S.E.L.M.) - performs event log based intrusion detection and network-wide event log management. Monitor users attempting to access secured shares and confidential files; Monitor critical servers and create alerts for specific events and conditions occurring on your network; Back up and clear event logs automatically on remote machines; Detect attacks using local user accounts
http://www.gfi.com/lanselm/

Regards,
Engineer_Dell
0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 16981477
if you give windows, unix or linux users permissions to access the root of the C drive OR the OS folders, or the folder where the crucial file exists, then YES, and one of them could accidently corrupt ANY file in those folders where they have permissions to access.  You need to be more restrictive of permissions on the file server, not go on a long hunt.

Review all user permissions for ALL directories on the file server.  Do not allow root access for ordinary users, nor access to the windows or OS folders.  Limit their access to thier working directories, and keep ALL KEY system or crucial files inaccessible to ordinary users.  This is the RIGHT way to solve the problem.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now