7

We have a Linux server which is Ext4 and another Linux Server which has an ISCSI where Windows clients have shared folders.I need to

  1. Allow users to modify files and not delete them. A user has permission to modify content, but cannot delete the files itself.
    1. Audit all file add/delete/modify operations in a English like log format.
    2. Send alerts if attempts are bieng made to delete
Improve this question
7
  • 2
    The trouble with your plan is that most good editors save changes to files by first writing the new file to a different filename, then removing the old one and renaming the new file to the right name. Add to that the propensity of windows programs like Word saving their temporary files in the same folder as the original document and wanting to remove the file when its done, and this is going to be one rough ride.
    – DerfK
    Commented Jan 9, 2013 at 6:28
  • But these are not for editors for some of the departments, and they are not allowed to do this as a practices
    – ramdaz
    Commented Jan 9, 2013 at 6:34
  • 2
    What do you mean 'they are not allowed to do this' DerfK was making a point that some software simply will not work unless you permit file to be deleted/renamed.
    – Zoredache
    Commented Jan 9, 2013 at 7:47
  • Is the Linux server sharing the folders with samba/CIFS?
    – kbulgrien
    Commented Jan 9, 2013 at 17:30
  • Sounds like you need to re-evaluate your policy. There is not much difference between writing and deleting. What if they write a blank file? Are you worried about the content of the files being deleted, or the missing files breaking something as a dependancy?
    – David Houde
    Commented Jan 9, 2013 at 17:56

4 Answers 4

Reset to default
2

If windows clients are mounting Samba/CIFS shares then you should check out full_audit.so module for Samba.

Samba: Logging User Activity

Samba - file audit log with full_audit

Google Search - samba full_audit

Improve this answer
2

I would recommend checking out audit - http://people.redhat.com/sgrubb/audit/

It can monitor just about anything and everything that goes on with the kernel - you define your own rules to match the type of syscall activity you'd like to have audited.

Improve this answer
1

Check out inotify tools, or if you're a programmer, you could roll your own that fits. It's not that hard to do; the most difficult part is keeping track of all the subdirectories, and dealing with directory additions/deletions/renames.

I have inotify-based programs running on a few of my servers. For example, on the one that stores my scanned private documents (bills, receipts et al), I have a program that watches for new files in a directory tree. When a new document is created, it is immediately PGP-encrypted (unless the new document IS pgp-encrypted, of course). Another, similar program, sends any changes in a particular tree to another server, far away.

I could see modifying one of those to simply write to an audit file that could then be reviewed as need be. The most difficult part I see in that, is making sure the audit file doesn't grow too large.

I will review one of these to see if it's public-ready. If it is, I will find a place to share it.

Improve this answer
1

Use Linux::Inotify2 Perl module. Write a Perl script and keep it as a running daemon.

You can keep watch on certain directory for following events:

IN_ACCESS            object was accessed
 IN_MODIFY            object was modified
 IN_ATTRIB            object metadata changed
 IN_CLOSE_WRITE       writable fd to file / to object was closed
 IN_CLOSE_NOWRITE     readonly fd to file / to object closed
 IN_OPEN              object was opened
 IN_MOVED_FROM        file was moved from this object (directory)
 IN_MOVED_TO          file was moved to this object (directory)
 IN_CREATE            file was created in this object (directory)
 IN_DELETE            file was deleted from this object (directory)
 IN_DELETE_SELF       object itself was deleted
 IN_MOVE_SELF         object itself was moved
 IN_ALL_EVENTS        all of the above events

 IN_ONESHOT           only send event once
 IN_ONLYDIR           only watch the path if it is a directory
 IN_DONT_FOLLOW       don't follow a sym link
 IN_MASK_ADD          not supported with the current version of this module

 IN_CLOSE             same as IN_CLOSE_WRITE | IN_CLOSE_NOWRITE
 IN_MOVE              same as IN_MOVED_FROM | IN_MOVED_TO
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .