How to enable FILE AUDITING in Linux?

I am running a SAMBA server On RedHat Enterprise Linux 3, and am sharing out an entire directory tree to Windows users on a Windows network.

Someone on the network is deleting / changing files in this subtree, and I need to somehow be able to audit this.  Can anyone make suggestions?  Here are some of my concerns:

- I'm not very familiar with Linux, although I'm not afraid of getting around it.
- I'm running SAMBA, but I'm not sure if SAMBA is linked to my Active Directory for users authentication, or if LINUX is just allowing ALL calls to the share / directory tree (how can I determine this?)
- If SAMBA is just allowing open access via the SAMBA service account (or however SAMBA runs), if auditing is enabled, is there any way to see what COMPUTER connected to the share and changed / deleted?

Any help is appreciated, thanks!
Who is Participating?
arrkerr1024Connect With a Mentor Commented:
First things first - take a look at your samba configuration file, called smb.conf and probably in /etc/samba/.  There will be a global configuration and then a specific configuration for the shares.  The global configuration may have some domain information and some authentication information, and the specific shares will say if they are open, if guest is allowed, if it is read-only or not, etc.  Even if you don't understand the specific syntax of this file it should be pretty clear if the shares are wide open or if they are requiring authentication (unless its really crazy!).

As far as file auditing, samba actually creates both a log file for the system and then a specific log file for each system connecting to it, named after the system name or the IP address, or whatever is set up.  Take a look in /var/log/samba/.  When users edit files, they should be logged here.  If not, you should be able to turn it on the configuration file.

It seems to me that you really just need samba to write a log for you, rather than actually auditing all linux files.
I use to watch files beeing change/created etc.
Hence no process available in the output from inotifywait
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Gabriel OrozcoConnect With a Mentor Solution ArchitectCommented:
to have all deletes and moves logged you may need to increase the log level in your smb.conf to 6
log level = 6

Also you can log by machine assuming a user is attached to his/her machine:
log file = /var/log/samba.log.%m

or by user:
log file = /var/log/samba.log.%U

then you will need to surf the logs to locate who did the change.

hope that helps
I haven't seen any great log analysis tools for samba logs, but you could then easily write a script that just greps for "delete" actions in the log files and emails them to you on a daily basis so that you don't have to manually check.

Those log files will get BIG fast though, so keep a close eye on them, and/or set up logrotate on them.
Gabriel OrozcoSolution ArchitectCommented:
I agree with arrkerr1024... both options need to be addressed.

to have samba rotate its logs you need to add this parameter to smb.conf on the global area. Assuming you are okay with 3MB sized logs:
   max log size = 3000

and for parsing what you need to see, just enable options. delete something, move something else, and look for those on the log corresponding to your machine. then you can do something like:

cat /var/log/samba/MYLOG.log | egrep "PATTERN1|PATTERN2|PATTERN3" >> /var/log/sambamustsee.log

this would monitor only one file, but you can make something more complete from here on...
Forced accept.

EE Admin
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.