Hi out there at the screens !
I'm trying to establish more security on a
samba-based File-Server (on solaris 2.6,
samba version 2.0.7).
The system is screwed up in terms of security,
but I can't change that in the short run. But I
want to be able - at least - to track down the
"bad guy" in case of emergency :-).
My goal is to figure out which client computer
issued a specific file/dir deletion on the
samba-server. The problem is: every client
machine uses the same user name to logon to
the shares (as I wrote: screwed-up-architecture).
I browsed O'Reilly's Samba-Book and the
online-Samba-docu for this issue but I
couldn't come up with a final solution.
I couldn't find any tool providing this
information directly, so I thought of good-ole
PERL and analyzing the logs...
smbstatus prints only connection informations.
I increased the loglevel to 2. OK - now I
can identify the machines (IP+name) and
get their pid. But then I'm stuck with
samba's log file format. I haven't found
out how I can identify a create/save/delete
for a certain file. The file is mentioned
human-readable format but not the action
performed on it (why?).
Example from my experiments:
[2001/10/04 19:21:06, 2] smbd/open.c:open_file(602)
ppi opened file stoff_test/new_dir/img00004.gif read=No write=Yes
(numopen=2)
[2001/10/04 19:21:06, 2] locking/locking_shm.c:shm_del_share_mode(355)
del_share_modes Deleting share mode entry dev=1542001 ino=1641768
[2001/10/04 19:21:06, 2] locking/locking_shm.c:shm_del_share_mode(376)
del_share_modes num entries = 0, deleting share_mode dev=1542001 ino=1641768
[2001/10/04 19:21:06, 2] smbd/close.c:close_normal_file(159)
ppi closed file stoff_test/new_dir/img00004.gif (numopen=1)
What do you think did I do to the image file here ;-) ?
Although I didn't try it I assume that increasing log level
to 3 won't change the situation. Due to space limitations
I have to be careful about disk space consumed by log files...
And according to the docu log level 3 will drown you in
information.
I thought of other tools (like LSOF or Solaris' BSM) but this
would be quite a long way round. And I'm sure there is a
solution in samba itself, somewhere out there...
Can you give me any pointers ?
Thanx for your help in advance from a dusky Berlin
Oliver Thieke
.======================================.
|* *|
|* O. THIEKE *|
|* *|
|* thieke@tagesspiegel.de *|
|* *|
|* Verlag Der Tagesspiegel *|
|* - Admin / Development - *|
|* - I T / PrePress - *|
|* B-E-R-L-I-N *|
|* *|
|* http://www.tagesspiegel.de *|
|* http://www.zitty.de *|
|* http://www.meinberlin.de *|
|* *|
'======================================'
_ _
. .
|
\___/
.________. .________.
> rerum /| |\ causas <
-------/_|________|_\--------
| cognoscere |
*------------*
I don't know if this is what you want. You can use a preexec parameter to log various items about the user. And, use can use a postexec to log various things when they log out. This link might help you. http://lists.samba.org/pipermail/samba/2001-September/057358.html Joel
Hi again ! Joel wrote:> I don't know if this is what you want. You can use a preexec > parameter to log various items about the user. And, use > can use a postexec to log various things when they log out.Thanx ! But unfortunately this doesn't solve my problem. I browsed the samba variable list in man-pages for smb.conf but there is no variable holding the user's action(s) on files. As far as I understand it I just get static informations (IP, DNS-Adress, Protocol, Username etc.) from those variables and the pre/postexec-skript. What I need is dynamic information (file changes within a given session) ! To be more precise about my point: when I write CGI-scripts - for example - from a certain Log-Level on all data changes a user applies are logged. That's also a strategy I have observed in various other client/server-systems. The smbd-process knows exactly what he (the user) does to a file (create/save-changes/delete) because he has to tell unix to do so. But he (smbd) won't tell in the log ! I was dreaming of a log file format like this: (uppercase words shows entries you won't find in current samba log format - AFAIK) [2001/10/04 19:20:06, 2] smbd/open.c:open_file(602) user CREATED stoff_test/new_dir/img00003.gif read=No write=Yes [2001/10/04 19:21:06, 2] smbd/open.c:open_file(602) user opened file stoff_test/new_dir/img00004.gif read=No write=Yes [2001/10/04 19:22:06, 2] smbd/open.c:open_file(602) user SAVED stoff_test/new_dir/img00003.gif read=No write=Yes [2001/10/04 19:22:06, 2] smbd/open.c:open_file(602) user DELETED stoff_test/new_dir/img00003.gif read=No write=Yes And to make smbd logging those data changes shouldn't be that complicated (the process knows it already !). I was looking for a trick to get the required information from samba itself (or some simple aditional tool). Yes there would be a different way on Solaris: Turn on BSM. But this would be quite a hack... you would have to figure out how to identify only the commands executed by samba... you get growing logs... ...a long way to go (test and code) :-( I am surprised that this question seems to be so extraordinary. It is just about a higher security level for a SAMBA-Server. Nobody out there managing a samba-server who wants to know which user changed a certain file on which time ? Any more pointers out there ? Maybe this is just a suggestion for improving samba's log format in the future... Thanx in advance and greetings from Berlin Oliver Thieke P.S.: while writing this an idea came to my mind... using a PERL script which analyzes samba's log. then gets from smbstatus or some other log infos on PID and Client-IP. then checks the file mentioned in the log as "opened" for change or deletion... Still quite a hack... If "the web" (you ;-) ) doesn't come up with a solution I will try this stony path....
Oliver Thieke wrote:> > Hi out there at the screens ! > > I'm trying to establish more security on a > samba-based File-Server (on solaris 2.6, > samba version 2.0.7). > The system is screwed up in terms of security, > but I can't change that in the short run. But I > want to be able - at least - to track down the > "bad guy" in case of emergency :-). > > My goal is to figure out which client computer > issued a specific file/dir deletion on the > samba-server. The problem is: every client > machine uses the same user name to logon to > the shares (as I wrote: screwed-up-architecture).Fix the architecture. Once you have done that, and users using their own logins, then look into the audit vfs example module (may require coding for your particular situation). --snip--> Can you give me any pointers ? > > Thanx for your help in advance from a dusky Berlin > > Oliver Thieke-- Andrew Bartlett abartlet@pcug.org.au Samba Team member, Build Farm maintainer abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net