From: Shaun.Racine@intier.com
Date: Tue Feb 04 2003 - 05:53:27 EST
Many thanks to all those who replied, original question and all responses
listed below.
I settled for using Samba logging. I was uncomfortable about auditing using
the OS; we do not use enhanced security, and it was only one partition that
we wanted to monitor. We currently capture the Unix process writing the
file in its own log.
NB: The man pages for Samba say that kill -USR[12] are discontinued for
version 2.2.
The solution was;
Create the log directory referenced in smb.conf, for some reason(?) we did
not have it already. I changed permissions because I did not know which
user was going to be writing to logs... (root of course! - duh).
vi the smb.conf, change the logsize to something more appropriate (from 50
kb to 50000 kb), otherwise the ".old" log files keep getting overwritten.
Use the smbcontrol to enable debug level 2.
root> mkdir /var/log/samba
root> chmod 777 /var/log/samba
root> /usr/local/samba/smbcontrol smbd debug 2
Job done.
Thanks once again,
Shaun Racine
Systems Development Manager
Intier Automotive Interiors Ltd
tel: +44 1622 852326 / 859491
fax: +44 1622 850587
email: shaun.racine@intier.com
ORIGINAL QUESTION:
Tru64 5.1A - Patch kit T64V51AB01AS0001-20020116
Samba version 2.2.4-pre
Is there a way to record an audit of what happens to files on an AdvFS
partition which is shared using Samba?
Our Unix system writes a small file (11 bytes) and a third party MS-Windows
program reads the file, then deletes it. The third party company swears
blind that sometimes an expected file is not there, and that their program
has not already deleted it. I need to get proof of when the file written,
when the file was accessed, and when the file was deleted and by who/what.
This server is also a database server so there will be an immense number of
read/writes on other partitions, so if there is a way of restricting file
access audit to a single partition it would be extremely helpful.
ANSWER1: Lucien HERCAUD
Activate the audit subsystem of Tru64.
The select only the system calls relevant to this :
creat
open
unlink
read & write in addition if you want
ANSWER2: Oisin McGuinness
One can turn up Samba logging; at level 2 you will get file read/writes
logged.
Just make sure that you have enough logging space, and send the USR1
signal
twice to the master samba process (or all of them...; "kill -USR1 smbdpid;
kill -USR1 smbdpid")
If you want this on permanently, you can use a flag to smbd in the
startup script.
We do this kind of thing for debugging often. This method will impose
less overhead on your file system/server than turning on OS auditing.
ANSWER3: Ann Majeske
Hi Shaun,
You might want to check out the Audit subsystem (information
in the Security manual). It allows you to audit file
operations on a per-file basis using the Object selection
and deselection modes. The biggest problem is that if
you don't already have the audit subsystem enabled on
the system you have to reboot after building it into the
kernel.
Ann
ANSWER4: Colin Bull
How about creating an alias for the rm command that moves the 'deleted
file' to another directory, and periodically,
a cron job logs and then deletes these files.
Colin Bull
c.bull@VideoNetworks.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:06 EDT