Hi out there at the screens ! I'm trying to establish more security on a samba-based File-Server (on solaris 2.6, samba version 2.0.7). The system is screwed up in terms of security, but I can't change that in the short run. But I want to be able - at least - to track down the "bad guy" in case of emergency :-). My goal is to figure out which client computer issued a specific file/dir deletion on the samba-server. The problem is: every client machine uses the same user name to logon to the shares (as I wrote: screwed-up-architecture). I browsed O'Reilly's Samba-Book and the online-Samba-docu for this issue but I couldn't come up with a final solution. I couldn't find any tool providing this information directly, so I thought of good-ole PERL and analyzing the logs... smbstatus prints only connection informations. I increased the loglevel to 2. OK - now I can identify the machines (IP+name) and get their pid. But then I'm stuck with samba's log file format. I haven't found out how I can identify a create/save/delete for a certain file. The file is mentioned human-readable format but not the action performed on it (why?). Example from my experiments: [2001/10/04 19:21:06, 2] smbd/open.c:open_file(602) ppi opened file stoff_test/new_dir/img00004.gif read=No write=Yes (numopen=2) [2001/10/04 19:21:06, 2] locking/locking_shm.c:shm_del_share_mode(355) del_share_modes Deleting share mode entry dev=1542001 ino=1641768 [2001/10/04 19:21:06, 2] locking/locking_shm.c:shm_del_share_mode(376) del_share_modes num entries = 0, deleting share_mode dev=1542001 ino=1641768 [2001/10/04 19:21:06, 2] smbd/close.c:close_normal_file(159) ppi closed file stoff_test/new_dir/img00004.gif (numopen=1) What do you think did I do to the image file here ;-) ? Although I didn't try it I assume that increasing log level to 3 won't change the situation. Due to space limitations I have to be careful about disk space consumed by log files... And according to the docu log level 3 will drown you in information. I thought of other tools (like LSOF or Solaris' BSM) but this would be quite a long way round. And I'm sure there is a solution in samba itself, somewhere out there... Can you give me any pointers ? Thanx for your help in advance from a dusky Berlin Oliver Thieke .======================================. |* *| |* O. THIEKE *| |* *| |* thieke@tagesspiegel.de *| |* *| |* Verlag Der Tagesspiegel *| |* - Admin / Development - *| |* - I T / PrePress - *| |* B-E-R-L-I-N *| |* *| |* http://www.tagesspiegel.de *| |* http://www.zitty.de *| |* http://www.meinberlin.de *| |* *| '======================================' _ _ . . | \___/ .________. .________. > rerum /| |\ causas < -------/_|________|_\-------- | cognoscere | *------------*
I don't know if this is what you want. You can use a preexec parameter to log various items about the user. And, use can use a postexec to log various things when they log out. This link might help you. http://lists.samba.org/pipermail/samba/2001-September/057358.html Joel
Hi again ! Joel wrote:> I don't know if this is what you want. You can use a preexec > parameter to log various items about the user. And, use > can use a postexec to log various things when they log out.Thanx ! But unfortunately this doesn't solve my problem. I browsed the samba variable list in man-pages for smb.conf but there is no variable holding the user's action(s) on files. As far as I understand it I just get static informations (IP, DNS-Adress, Protocol, Username etc.) from those variables and the pre/postexec-skript. What I need is dynamic information (file changes within a given session) ! To be more precise about my point: when I write CGI-scripts - for example - from a certain Log-Level on all data changes a user applies are logged. That's also a strategy I have observed in various other client/server-systems. The smbd-process knows exactly what he (the user) does to a file (create/save-changes/delete) because he has to tell unix to do so. But he (smbd) won't tell in the log ! I was dreaming of a log file format like this: (uppercase words shows entries you won't find in current samba log format - AFAIK) [2001/10/04 19:20:06, 2] smbd/open.c:open_file(602) user CREATED stoff_test/new_dir/img00003.gif read=No write=Yes [2001/10/04 19:21:06, 2] smbd/open.c:open_file(602) user opened file stoff_test/new_dir/img00004.gif read=No write=Yes [2001/10/04 19:22:06, 2] smbd/open.c:open_file(602) user SAVED stoff_test/new_dir/img00003.gif read=No write=Yes [2001/10/04 19:22:06, 2] smbd/open.c:open_file(602) user DELETED stoff_test/new_dir/img00003.gif read=No write=Yes And to make smbd logging those data changes shouldn't be that complicated (the process knows it already !). I was looking for a trick to get the required information from samba itself (or some simple aditional tool). Yes there would be a different way on Solaris: Turn on BSM. But this would be quite a hack... you would have to figure out how to identify only the commands executed by samba... you get growing logs... ...a long way to go (test and code) :-( I am surprised that this question seems to be so extraordinary. It is just about a higher security level for a SAMBA-Server. Nobody out there managing a samba-server who wants to know which user changed a certain file on which time ? Any more pointers out there ? Maybe this is just a suggestion for improving samba's log format in the future... Thanx in advance and greetings from Berlin Oliver Thieke P.S.: while writing this an idea came to my mind... using a PERL script which analyzes samba's log. then gets from smbstatus or some other log infos on PID and Client-IP. then checks the file mentioned in the log as "opened" for change or deletion... Still quite a hack... If "the web" (you ;-) ) doesn't come up with a solution I will try this stony path....
Oliver Thieke wrote:> > Hi out there at the screens ! > > I'm trying to establish more security on a > samba-based File-Server (on solaris 2.6, > samba version 2.0.7). > The system is screwed up in terms of security, > but I can't change that in the short run. But I > want to be able - at least - to track down the > "bad guy" in case of emergency :-). > > My goal is to figure out which client computer > issued a specific file/dir deletion on the > samba-server. The problem is: every client > machine uses the same user name to logon to > the shares (as I wrote: screwed-up-architecture).Fix the architecture. Once you have done that, and users using their own logins, then look into the audit vfs example module (may require coding for your particular situation). --snip--> Can you give me any pointers ? > > Thanx for your help in advance from a dusky Berlin > > Oliver Thieke-- Andrew Bartlett abartlet@pcug.org.au Samba Team member, Build Farm maintainer abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net