MONITORING user's file activity in SAMBA (2.0.7)
Oliver Thieke
thieke at tagesspiegel.de
Thu Oct 4 11:32:03 GMT 2001
Hi out there at the screens !
I'm trying to establish more security on a
samba-based File-Server (on solaris 2.6,
samba version 2.0.7).
The system is screwed up in terms of security,
but I can't change that in the short run. But I
want to be able - at least - to track down the
"bad guy" in case of emergency :-).
My goal is to figure out which client computer
issued a specific file/dir deletion on the
samba-server. The problem is: every client
machine uses the same user name to logon to
the shares (as I wrote: screwed-up-architecture).
I browsed O'Reilly's Samba-Book and the
online-Samba-docu for this issue but I
couldn't come up with a final solution.
I couldn't find any tool providing this
information directly, so I thought of good-ole
PERL and analyzing the logs...
smbstatus prints only connection informations.
I increased the loglevel to 2. OK - now I
can identify the machines (IP+name) and
get their pid. But then I'm stuck with
samba's log file format. I haven't found
out how I can identify a create/save/delete
for a certain file. The file is mentioned
human-readable format but not the action
performed on it (why?).
Example from my experiments:
[2001/10/04 19:21:06, 2] smbd/open.c:open_file(602)
ppi opened file stoff_test/new_dir/img00004.gif read=No write=Yes
(numopen=2)
[2001/10/04 19:21:06, 2] locking/locking_shm.c:shm_del_share_mode(355)
del_share_modes Deleting share mode entry dev=1542001 ino=1641768
[2001/10/04 19:21:06, 2] locking/locking_shm.c:shm_del_share_mode(376)
del_share_modes num entries = 0, deleting share_mode dev=1542001 ino=1641768
[2001/10/04 19:21:06, 2] smbd/close.c:close_normal_file(159)
ppi closed file stoff_test/new_dir/img00004.gif (numopen=1)
What do you think did I do to the image file here ;-) ?
Although I didn't try it I assume that increasing log level
to 3 won't change the situation. Due to space limitations
I have to be careful about disk space consumed by log files...
And according to the docu log level 3 will drown you in
information.
I thought of other tools (like LSOF or Solaris' BSM) but this
would be quite a long way round. And I'm sure there is a
solution in samba itself, somewhere out there...
Can you give me any pointers ?
Thanx for your help in advance from a dusky Berlin
Oliver Thieke
.======================================.
|* *|
|* O. THIEKE *|
|* *|
|* thieke at tagesspiegel.de *|
|* *|
|* Verlag Der Tagesspiegel *|
|* - Admin / Development - *|
|* - I T / PrePress - *|
|* B-E-R-L-I-N *|
|* *|
|* http://www.tagesspiegel.de *|
|* http://www.zitty.de *|
|* http://www.meinberlin.de *|
|* *|
'======================================'
_ _
. .
|
\___/
.________. .________.
> rerum /| |\ causas <
-------/_|________|_\--------
| cognoscere |
*------------*
More information about the samba
mailing list