How to enable FILE AUDITING in Linux?

Posted on 2007-10-10
Last Modified: 2013-12-16
I am running a SAMBA server On RedHat Enterprise Linux 3, and am sharing out an entire directory tree to Windows users on a Windows network.

Someone on the network is deleting / changing files in this subtree, and I need to somehow be able to audit this.  Can anyone make suggestions?  Here are some of my concerns:

- I'm not very familiar with Linux, although I'm not afraid of getting around it.
- I'm running SAMBA, but I'm not sure if SAMBA is linked to my Active Directory for users authentication, or if LINUX is just allowing ALL calls to the share / directory tree (how can I determine this?)
- If SAMBA is just allowing open access via the SAMBA service account (or however SAMBA runs), if auditing is enabled, is there any way to see what COMPUTER connected to the share and changed / deleted?

Any help is appreciated, thanks!
Question by:jkeegan123
    LVL 43

    Expert Comment

    I use to watch files beeing change/created etc.
    Hence no process available in the output from inotifywait
    LVL 14

    Accepted Solution

    First things first - take a look at your samba configuration file, called smb.conf and probably in /etc/samba/.  There will be a global configuration and then a specific configuration for the shares.  The global configuration may have some domain information and some authentication information, and the specific shares will say if they are open, if guest is allowed, if it is read-only or not, etc.  Even if you don't understand the specific syntax of this file it should be pretty clear if the shares are wide open or if they are requiring authentication (unless its really crazy!).

    As far as file auditing, samba actually creates both a log file for the system and then a specific log file for each system connecting to it, named after the system name or the IP address, or whatever is set up.  Take a look in /var/log/samba/.  When users edit files, they should be logged here.  If not, you should be able to turn it on the configuration file.

    It seems to me that you really just need samba to write a log for you, rather than actually auditing all linux files.
    LVL 14

    Expert Comment

    LVL 19

    Assisted Solution

    to have all deletes and moves logged you may need to increase the log level in your smb.conf to 6
    log level = 6

    Also you can log by machine assuming a user is attached to his/her machine:
    log file = /var/log/samba.log.%m

    or by user:
    log file = /var/log/samba.log.%U

    then you will need to surf the logs to locate who did the change.

    hope that helps
    LVL 14

    Expert Comment

    I haven't seen any great log analysis tools for samba logs, but you could then easily write a script that just greps for "delete" actions in the log files and emails them to you on a daily basis so that you don't have to manually check.

    Those log files will get BIG fast though, so keep a close eye on them, and/or set up logrotate on them.
    LVL 19

    Expert Comment

    I agree with arrkerr1024... both options need to be addressed.

    to have samba rotate its logs you need to add this parameter to smb.conf on the global area. Assuming you are okay with 3MB sized logs:
       max log size = 3000

    and for parsing what you need to see, just enable options. delete something, move something else, and look for those on the log corresponding to your machine. then you can do something like:

    cat /var/log/samba/MYLOG.log | egrep "PATTERN1|PATTERN2|PATTERN3" >> /var/log/sambamustsee.log

    this would monitor only one file, but you can make something more complete from here on...
    LVL 1

    Expert Comment

    Forced accept.

    EE Admin

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
    It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now