Determine who last modified a file on a Windows 2000 server or a Linux or Unix server
We had a problem occur last week where one on the critical files on our web server was changed and broke links on the main page. I was able to fix the problem and determine when and where the problem occurred in the file, but I don’t know of any place in Windows 2000 server that would tell me who modified a file last. One person I spoke to seems to think this is possible in either Unix or Linux, but others I spoke to say it is not. They say you can only determine who had permissions to change the file, but not who actually changed it. Do you know if this is correct?
This occurs occasionally and is not done by people with a lot of computer expertise so they typically would be doing this by accident, not intentionally, and the user would not be trying to hide what they did. Unfortunately, no one seems to want to admit they caused the problem. My interest is getting the problem narrowed down and getting the person some training so they don't do it again.
This occurs occasionally and is not done by people with a lot of computer expertise so they typically would be doing this by accident, not intentionally, and the user would not be trying to hide what they did. Unfortunately, no one seems to want to admit they caused the problem. My interest is getting the problem narrowed down and getting the person some training so they don't do it again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We are in the process of moving the web server to a new machine so the possibility of changing to another OS or web server exists. Before I ask for money for a third pary product, I just need to be able to say for sure that we can't determine who modified a file by setting up features in the OS itself. Is this correct for Unix, Linux, and Windows. Is there any other OS that would do this?
Absolutely - as mentioned track4win will do the tracking for windows.
With samba, on linux (any *nix), you can turn up the logging level on samba to 3 or above. *WARNING* this has a significant impact on performance. (Having said that, many smaller companies don't get the processor use above 20% on their linux fileservers, so this may not be an issue?) See here for a little more info on samba logging:
http://www.oreilly.com/catalog/samba/chapter/book/ch04_08.html
Samba logging isn't that 'obvious' in that the file is not identified by name, but rather by number, but all the information is there to be able to trace the culprit.
( (()
(`-' _\
'' ''
With samba, on linux (any *nix), you can turn up the logging level on samba to 3 or above. *WARNING* this has a significant impact on performance. (Having said that, many smaller companies don't get the processor use above 20% on their linux fileservers, so this may not be an issue?) See here for a little more info on samba logging:
http://www.oreilly.com/catalog/samba/chapter/book/ch04_08.html
Samba logging isn't that 'obvious' in that the file is not identified by name, but rather by number, but all the information is there to be able to trace the culprit.
( (()
(`-' _\
'' ''
ETC-Staff,
You need to understand that unlike Windoze, which locks you into a specific technology, both Linux and most UNIX platforms support many different filesystems - for example, UFS, EXT2, EXT3, Reiser, NSS, JFS and many more. And it is the *filesystem* that determines the tracking capability. Sometimes, as we see with SAMBA, the access method can also be used. You also need to understand that there is not one "UNIX" - UNIX is a general OS design, not a singular operating system.
Beyond relying on filesystem or access method logging to keep track of who alters files when, you can also use an auditing tool. Some OSes include them, they are add-ons for others.
You need to understand that unlike Windoze, which locks you into a specific technology, both Linux and most UNIX platforms support many different filesystems - for example, UFS, EXT2, EXT3, Reiser, NSS, JFS and many more. And it is the *filesystem* that determines the tracking capability. Sometimes, as we see with SAMBA, the access method can also be used. You also need to understand that there is not one "UNIX" - UNIX is a general OS design, not a singular operating system.
Beyond relying on filesystem or access method logging to keep track of who alters files when, you can also use an auditing tool. Some OSes include them, they are add-ons for others.
Windows can track these changes if you enable file auditing.
ASKER
Thanks for all the comments. I am just referring to the systems as unix and linux in the generic sense. I do realize there are different versions of all of these, I am not a network admin, but I can turn this over to our network admin to investigate. I just want to be able to point him in the right direction. The folks I have talked to so far have told me they think it can be done, but haven't done it themselves and can't be anymore specific than that. We are considering changing platforms as we move the web server so I appreciate all the comments. This is for a university so I am trying to keep the costs down as funds are very tight this year. So purchasing any commercial add ons will need some pretty good justification. I have tried to run this web server with minimum interference from me, but it has become very large and it is apparent we need some more control or to at least know what exactly is going on with some of the files. We have quite a few "web maintainers" on the system. For the most part, this has worked very well, but now we need to make some changes.
We are using Windows 2000 Server. I only found "file auditing" mentioned once in the help when I did a search. I didn't see how it is turned on. Can you help me with that? Thanks.
We are using Windows 2000 Server. I only found "file auditing" mentioned once in the help when I did a search. I didn't see how it is turned on. Can you help me with that? Thanks.
Hello ETC Staff
References for w2k auditing
http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
http://labmice.techtarget.com/troubleshooting/EventLog.htm
http://support.microsoft.com/?kbid=300549
Here you can find 3rd party free file integrity tools
http://www.honeypots.net/ids/integrity-management
http://www.networkintrusion.co.uk/integrity.htm
http://www.sysinternals.com/Utilities/Filemon.html
http://www.contactplus.com/products/freestuff/monidir.htm
I like GFI LANguard Security Event Log Monitor (S.E.L.M.) - performs event log based intrusion detection and network-wide event log management. Monitor users attempting to access secured shares and confidential files; Monitor critical servers and create alerts for specific events and conditions occurring on your network; Back up and clear event logs automatically on remote machines; Detect attacks using local user accounts
http://www.gfi.com/lanselm/
Regards,
Engineer_Dell
References for w2k auditing
http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
http://labmice.techtarget.com/troubleshooting/EventLog.htm
http://support.microsoft.com/?kbid=300549
Here you can find 3rd party free file integrity tools
http://www.honeypots.net/ids/integrity-management
http://www.networkintrusion.co.uk/integrity.htm
http://www.sysinternals.com/Utilities/Filemon.html
http://www.contactplus.com/products/freestuff/monidir.htm
I like GFI LANguard Security Event Log Monitor (S.E.L.M.) - performs event log based intrusion detection and network-wide event log management. Monitor users attempting to access secured shares and confidential files; Monitor critical servers and create alerts for specific events and conditions occurring on your network; Back up and clear event logs automatically on remote machines; Detect attacks using local user accounts
http://www.gfi.com/lanselm/
Regards,
Engineer_Dell
if you give windows, unix or linux users permissions to access the root of the C drive OR the OS folders, or the folder where the crucial file exists, then YES, and one of them could accidently corrupt ANY file in those folders where they have permissions to access. You need to be more restrictive of permissions on the file server, not go on a long hunt.
Review all user permissions for ALL directories on the file server. Do not allow root access for ordinary users, nor access to the windows or OS folders. Limit their access to thier working directories, and keep ALL KEY system or crucial files inaccessible to ordinary users. This is the RIGHT way to solve the problem.
Review all user permissions for ALL directories on the file server. Do not allow root access for ordinary users, nor access to the windows or OS folders. Limit their access to thier working directories, and keep ALL KEY system or crucial files inaccessible to ordinary users. This is the RIGHT way to solve the problem.
ASKER