How to enable FILE AUDITING in Linux?
I am running a SAMBA server On RedHat Enterprise Linux 3, and am sharing out an entire directory tree to Windows users on a Windows network.
Someone on the network is deleting / changing files in this subtree, and I need to somehow be able to audit this. Can anyone make suggestions? Here are some of my concerns:
- I'm not very familiar with Linux, although I'm not afraid of getting around it.
- I'm running SAMBA, but I'm not sure if SAMBA is linked to my Active Directory for users authentication, or if LINUX is just allowing ALL calls to the share / directory tree (how can I determine this?)
- If SAMBA is just allowing open access via the SAMBA service account (or however SAMBA runs), if auditing is enabled, is there any way to see what COMPUTER connected to the share and changed / deleted?
Any help is appreciated, thanks!
Someone on the network is deleting / changing files in this subtree, and I need to somehow be able to audit this. Can anyone make suggestions? Here are some of my concerns:
- I'm not very familiar with Linux, although I'm not afraid of getting around it.
- I'm running SAMBA, but I'm not sure if SAMBA is linked to my Active Directory for users authentication, or if LINUX is just allowing ALL calls to the share / directory tree (how can I determine this?)
- If SAMBA is just allowing open access via the SAMBA service account (or however SAMBA runs), if auditing is enabled, is there any way to see what COMPUTER connected to the share and changed / deleted?
Any help is appreciated, thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here are the docs on samba logging:
http://www.oreilly.com/catalog/samba/chapter/book/ch04_08.html
http://www.oreilly.com/catalog/samba/chapter/book/ch04_08.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I haven't seen any great log analysis tools for samba logs, but you could then easily write a script that just greps for "delete" actions in the log files and emails them to you on a daily basis so that you don't have to manually check.
Those log files will get BIG fast though, so keep a close eye on them, and/or set up logrotate on them.
Those log files will get BIG fast though, so keep a close eye on them, and/or set up logrotate on them.
I agree with arrkerr1024... both options need to be addressed.
to have samba rotate its logs you need to add this parameter to smb.conf on the global area. Assuming you are okay with 3MB sized logs:
max log size = 3000
and for parsing what you need to see, just enable options. delete something, move something else, and look for those on the log corresponding to your machine. then you can do something like:
cat /var/log/samba/MYLOG.log | egrep "PATTERN1|PATTERN2|PATTERN
this would monitor only one file, but you can make something more complete from here on...
to have samba rotate its logs you need to add this parameter to smb.conf on the global area. Assuming you are okay with 3MB sized logs:
max log size = 3000
and for parsing what you need to see, just enable options. delete something, move something else, and look for those on the log corresponding to your machine. then you can do something like:
cat /var/log/samba/MYLOG.log | egrep "PATTERN1|PATTERN2|PATTERN
this would monitor only one file, but you can make something more complete from here on...
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
Hence no process available in the output from inotifywait