MONITORING user's file activity in SAMBA - again

Oliver Thieke thieke at tagesspiegel.de
Fri Oct 5 05:33:23 GMT 2001 

Hi again !

Joel  wrote:
> I don't know if this is what you want. You can use a preexec
> parameter to log various items about the user.  And, use 
> can use a postexec to log various things when they log out.
Thanx ! But unfortunately this doesn't solve my problem.
I browsed the samba variable list in man-pages for smb.conf
but there is no variable holding the user's action(s) on files.
As far as I understand it I just get static informations 
(IP, DNS-Adress, Protocol, Username etc.) from those
variables and the pre/postexec-skript. What I need is dynamic
information (file changes within a given session) !

To be more precise about my point: when I write CGI-scripts
- for example - from a certain Log-Level on all data changes
a user applies are logged. That's also a strategy I have 
observed in various other client/server-systems.
 
The smbd-process knows exactly what he (the user) does to a
file (create/save-changes/delete) because he has to tell 
unix to do so. But he (smbd) won't tell in the log !

I was dreaming of a log file format like this:
(uppercase words shows entries you won't find in current samba
 log format - AFAIK)

   [2001/10/04 19:20:06, 2] smbd/open.c:open_file(602)
     user CREATED stoff_test/new_dir/img00003.gif read=No write=Yes
   [2001/10/04 19:21:06, 2] smbd/open.c:open_file(602)
     user opened file stoff_test/new_dir/img00004.gif read=No write=Yes
   [2001/10/04 19:22:06, 2] smbd/open.c:open_file(602)
     user SAVED stoff_test/new_dir/img00003.gif read=No write=Yes
   [2001/10/04 19:22:06, 2] smbd/open.c:open_file(602)
     user DELETED stoff_test/new_dir/img00003.gif read=No write=Yes

And to make smbd logging those data changes shouldn't be that
complicated (the process knows it already !).

I was looking for a trick to get the required information from
samba itself (or some simple aditional tool).

Yes there would be a different way on Solaris: Turn on BSM. 
But this would be quite a hack... you would have to figure out
how to identify only the commands executed by samba... 
you get growing logs...
...a long way to go (test and code) :-(

I am surprised that this question seems to be so extraordinary.
It is just about a higher security level for a SAMBA-Server.
Nobody out there managing a samba-server who wants to know
which user changed a certain file on which time ?

Any more pointers out there ?  

Maybe this is just a suggestion for improving samba's log
format in the future...

Thanx in advance and greetings from Berlin

Oliver Thieke



P.S.: while writing this an idea came to my mind... using a PERL
script which analyzes samba's log. then gets from smbstatus or
some other log infos on PID and Client-IP. then checks the file
mentioned in the log as "opened" for change or deletion...
Still quite a hack... If "the web" (you ;-)  ) doesn't come up 
with a solution I will try this stony path....

More information about the samba mailing list