[Samba] tracking user activity - Active Directory

Bob Miller bob at computerisms.ca
Thu Mar 7 18:50:23 MST 2013 

The share auditing is an excellent point.  I was not actually aware that
those existed, so thank you for bringing this to my attention, and yes I
will be setting that up.  But they are not applicable in this case.  

The reason to establish if someone logged into the network is to
determine who was present in the office, not because anything happened
on the network.  The event occurred during off hours and we know when
that was, so if we can determine someone logged into the network around
that time, it will give a clue who was physically present.
-- 
Computerisms
Bob Miller      
867-334-7117 / 867-633-3760
http://computerisms.ca


On Thu, 2013-03-07 at 19:25 -0600, Gregory Carter wrote:
> Good point.
> 
> One further, since we are on the discussion.
> 
> Whatever, mischief you say happened, requires for something to have been 
> changed on the samba server if you have the audit trail turned on for 
> your shares.
> 
> If you haven't done that already, I suggest you turn on the share 
> auditing features.
> 
> But a login doesn't constitute much in the area of evidence other than 
> circumstantial.
> 
> Furthermore, if the SAMBA server was used as a authentication point 
> only, and the mischief took place on the local workstation, you won't 
> see that obviously on any samba log.
> 
> Obvious perhaps to many here, but stated nonetheless, you should engage 
> audits for your shares too.
> 
> For example:
> 
> [SG2TB]
>          comment = SG2TB
>          path = /mnt/sdcard
>          read only = no
> ;       browseable = yes
>          valid users = gcarter
>          full_audit:failure = none
>          full_audit:success = mkdir rename unlink rmdir open pwrite
>          full_audit:prefix = %u|%I|%m|%S
> 
> -gc
> 
> On 03/07/2013 06:01 PM, Gregory Sloop wrote:
> > Pardon me for butting in, and probably you've already considered this,
> > but what the heck.
> >
> > Do you even know that the user actually logged in during the time in
> > question? I suppose the logs will at least let you know *if* anyone
> > did login, but if the trouble-maker used an already logged in station
> > you get nada in the logs.
> >
> > -Greg
> >
>

More information about the samba mailing list