[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2306
  • Last Modified:

How to enable FILE AUDITING in Linux?

I am running a SAMBA server On RedHat Enterprise Linux 3, and am sharing out an entire directory tree to Windows users on a Windows network.

Someone on the network is deleting / changing files in this subtree, and I need to somehow be able to audit this.  Can anyone make suggestions?  Here are some of my concerns:

- I'm not very familiar with Linux, although I'm not afraid of getting around it.
- I'm running SAMBA, but I'm not sure if SAMBA is linked to my Active Directory for users authentication, or if LINUX is just allowing ALL calls to the share / directory tree (how can I determine this?)
- If SAMBA is just allowing open access via the SAMBA service account (or however SAMBA runs), if auditing is enabled, is there any way to see what COMPUTER connected to the share and changed / deleted?

Any help is appreciated, thanks!
0
jkeegan123
Asked:
jkeegan123
2 Solutions
 
ravenplCommented:
I use http://inotify-tools.sourceforge.net/ to watch files beeing change/created etc.
Hence no process available in the output from inotifywait
0
 
arrkerr1024Commented:
First things first - take a look at your samba configuration file, called smb.conf and probably in /etc/samba/.  There will be a global configuration and then a specific configuration for the shares.  The global configuration may have some domain information and some authentication information, and the specific shares will say if they are open, if guest is allowed, if it is read-only or not, etc.  Even if you don't understand the specific syntax of this file it should be pretty clear if the shares are wide open or if they are requiring authentication (unless its really crazy!).

As far as file auditing, samba actually creates both a log file for the system and then a specific log file for each system connecting to it, named after the system name or the IP address, or whatever is set up.  Take a look in /var/log/samba/.  When users edit files, they should be logged here.  If not, you should be able to turn it on the configuration file.

It seems to me that you really just need samba to write a log for you, rather than actually auditing all linux files.
0
 
arrkerr1024Commented:
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Gabriel OrozcoSolution ArchitectCommented:
to have all deletes and moves logged you may need to increase the log level in your smb.conf to 6
log level = 6

Also you can log by machine assuming a user is attached to his/her machine:
log file = /var/log/samba.log.%m

or by user:
log file = /var/log/samba.log.%U

then you will need to surf the logs to locate who did the change.

hope that helps
0
 
arrkerr1024Commented:
I haven't seen any great log analysis tools for samba logs, but you could then easily write a script that just greps for "delete" actions in the log files and emails them to you on a daily basis so that you don't have to manually check.

Those log files will get BIG fast though, so keep a close eye on them, and/or set up logrotate on them.
0
 
Gabriel OrozcoSolution ArchitectCommented:
I agree with arrkerr1024... both options need to be addressed.

to have samba rotate its logs you need to add this parameter to smb.conf on the global area. Assuming you are okay with 3MB sized logs:
   max log size = 3000

and for parsing what you need to see, just enable options. delete something, move something else, and look for those on the log corresponding to your machine. then you can do something like:

cat /var/log/samba/MYLOG.log | egrep "PATTERN1|PATTERN2|PATTERN3" >> /var/log/sambamustsee.log

this would monitor only one file, but you can make something more complete from here on...
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now