MONITORING user's file activity in SAMBA (2.0.7)

Oliver Thieke thieke at tagesspiegel.de
Thu Oct 4 11:32:03 GMT 2001 

Hi out there at the screens !

I'm trying to establish more security on a
samba-based File-Server (on solaris 2.6,
samba version 2.0.7).
The system is screwed up in terms of security,
but I can't change that in the short run. But I 
want to be able - at least - to track down the 
"bad guy" in case of emergency :-).

My goal is to figure out which client computer
issued a specific file/dir deletion on the 
samba-server. The problem is: every client 
machine uses the same user name to logon to 
the shares (as I wrote: screwed-up-architecture).

I browsed O'Reilly's Samba-Book and the 
online-Samba-docu for this issue but I 
couldn't come up with a final solution.
I couldn't find any tool providing this 
information directly, so I thought of good-ole
PERL and analyzing the logs...

smbstatus prints only connection informations.
I increased the loglevel to 2. OK - now I 
can identify the machines (IP+name) and
get their pid. But then I'm stuck with 
samba's log file format. I haven't found
out how I can identify a create/save/delete
for a certain file. The file is mentioned 
human-readable format but not the action
performed on it (why?).

Example from my experiments:
[2001/10/04 19:21:06, 2] smbd/open.c:open_file(602)
  ppi opened file stoff_test/new_dir/img00004.gif read=No write=Yes
(numopen=2)
[2001/10/04 19:21:06, 2] locking/locking_shm.c:shm_del_share_mode(355)
  del_share_modes Deleting share mode entry dev=1542001 ino=1641768
[2001/10/04 19:21:06, 2] locking/locking_shm.c:shm_del_share_mode(376)
  del_share_modes num entries = 0, deleting share_mode dev=1542001 ino=1641768
[2001/10/04 19:21:06, 2] smbd/close.c:close_normal_file(159)
  ppi closed file stoff_test/new_dir/img00004.gif (numopen=1) 

What do you think did I do to the image file here ;-) ?

Although I didn't try it I assume that increasing log level 
to 3 won't change the situation. Due to space limitations
I have to be careful about disk space consumed by log files...
And according to the docu log level 3 will drown you in
information.

I thought of other tools (like LSOF or Solaris' BSM) but this
would be quite a long way round. And I'm sure there is a
solution in samba itself, somewhere out there...

Can you give me any pointers ?

Thanx for your help in advance from a dusky Berlin

Oliver Thieke






.======================================.
|*                                    *|
|*             O. THIEKE              *|
|*                                    *|
|*       thieke at tagesspiegel.de       *|
|*                                    *|
|*      Verlag Der Tagesspiegel       *|
|*      - Admin / Development -       *|
|*        - I T  / PrePress -         *|
|*            B-E-R-L-I-N             *|
|*                                    *|
|*     http://www.tagesspiegel.de     *|
|*     http://www.zitty.de            *|
|*     http://www.meinberlin.de       *|
|*                                    *|
'======================================'
                  _ _
                  . .
                   |
                 \___/
                                 
    .________.         .________.      
     > rerum /|        |\ causas <
     -------/_|________|_\--------
            | cognoscere |
            *------------*

More information about the samba mailing list