Greetings,
Is there a way to have the system log what users connect via cifs AND also show what share they connect to? This is a 7.3.2 system.
I've been trying various cifs options. I can see where it log who I am, and where I'm coming from, but not what I'm trying to access, or what share I mounted.
Some mystery deletes have been occurring so we are trying to track down who may be accessing that particular share. Ideally I want to know when they connect and disconnect at a minimum so we have an idea when they were there.
For now I just have a script checking cifs sessions and logging connections to the share to a file. I'd rather see it in messages or audit instead.
Thanks,
Jeff
You should be able to enable audit for files using standard file security dialog in Windows.
--- With best regards
Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS [cid:image001.gif@01D0F1FC.5C899F00] FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail: Andrei.Borzenkov@ts.fujitsu.commailto:Andrei.Borzenkov@ts.fujitsu.com Web: ru.fujitsu.comhttp://ts.fujitsu.com/ Company details: ts.fujitsu.com/imprinthttp://ts.fujitsu.com/imprint.html This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Jeff Cleverley Sent: Friday, September 18, 2015 4:25 AM To: Toasters@teaparty.net Subject: Cifs share access log
Greetings,
Is there a way to have the system log what users connect via cifs AND also show what share they connect to? This is a 7.3.2 system.
I've been trying various cifs options. I can see where it log who I am, and where I'm coming from, but not what I'm trying to access, or what share I mounted.
Some mystery deletes have been occurring so we are trying to track down who may be accessing that particular share. Ideally I want to know when they connect and disconnect at a minimum so we have an idea when they were there.
For now I just have a script checking cifs sessions and logging connections to the share to a file. I'd rather see it in messages or audit instead.
Thanks,
Jeff
-- Jeff Cleverley IT Engineer 4380 Ziegler Road Building 1, Dock 1 Fort Collins, Colorado 80525 970-288-4611
Andrei,
I've been dealing with *nix for the last 18 years and have limited Windows experience. Please excuse my noob questions.
How would the file auditing get set up and work? They don't access this share from a single system.
I don't have access to the share they are looking at so I can't do anything on my VM. Would this have to be turned on for all of them, or just on one?
Thanks,
Jeff
On Fri, Sep 18, 2015 at 1:25 AM, Borzenkov, Andrei < andrei.borzenkov@ts.fujitsu.com> wrote:
You should be able to enable audit for files using standard file security dialog in Windows.
With best regards
*Andre**i** Borzenkov*
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
[image: cid:image001.gif@01CBF835.B3FEDA90]
*FUJITSU*
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
E-mail: Andrei.Borzenkov@ts.fujitsu.com
Web: ru.fujitsu.com http://ts.fujitsu.com/
Company details: ts.fujitsu.com/imprint http://ts.fujitsu.com/imprint.html
This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
*From:* toasters-bounces@teaparty.net [mailto: toasters-bounces@teaparty.net] *On Behalf Of *Jeff Cleverley *Sent:* Friday, September 18, 2015 4:25 AM *To:* Toasters@teaparty.net *Subject:* Cifs share access log
Greetings,
Is there a way to have the system log what users connect via cifs AND also show what share they connect to? This is a 7.3.2 system.
I've been trying various cifs options. I can see where it log who I am, and where I'm coming from, but not what I'm trying to access, or what share I mounted.
Some mystery deletes have been occurring so we are trying to track down who may be accessing that particular share. Ideally I want to know when they connect and disconnect at a minimum so we have an idea when they were there.
For now I just have a script checking cifs sessions and logging connections to the share to a file. I'd rather see it in messages or audit instead.
Thanks,
Jeff
--
Jeff Cleverley IT Engineer
4380 Ziegler Road
Building 1, Dock 1 Fort Collins, Colorado 80525 970-288-4611
One approach to consider would be to use Storage-Level security (SLAG). That can be done from the filer, without having to use Windows to set ACLs. You can specify that you want to, for example, audit all successful and/or failed delete operations. To make that work, you need to enable cifs auditing, and you need to use the fsecurity command to place the appropriate SLAG on the qtree(s) that you want to monitor. If you aren’t familiar with Windows security, you’ll probably want to get some help with setting this up.
Once you have the data you need, you can just remove the SLAG. The nice thing about SLAG is that it immediately applies to all objects in the qtree(s) without having to modify the ACL on each object. If you have NFS clients accessing the qtree(s) with SLAG, you will need to make sure the NFS users map to a valid Windows account, since the mapped account is logged in the cifs auditing information.
Mark
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Jeff Cleverley Sent: Friday, September 18, 2015 9:28 PM To: Borzenkov, Andrei Cc: Toasters@teaparty.net Subject: Re: Cifs share access log
Andrei,
I've been dealing with *nix for the last 18 years and have limited Windows experience. Please excuse my noob questions.
How would the file auditing get set up and work? They don't access this share from a single system.
I don't have access to the share they are looking at so I can't do anything on my VM. Would this have to be turned on for all of them, or just on one?
Thanks,
Jeff
On Fri, Sep 18, 2015 at 1:25 AM, Borzenkov, Andrei <andrei.borzenkov@ts.fujitsu.commailto:andrei.borzenkov@ts.fujitsu.com> wrote: You should be able to enable audit for files using standard file security dialog in Windows.
--- With best regards
Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS [cid:image001.gif@01CBF835.B3FEDA90] FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail: Andrei.Borzenkov@ts.fujitsu.commailto:Andrei.Borzenkov@ts.fujitsu.com Web: ru.fujitsu.comhttp://ts.fujitsu.com/ Company details: ts.fujitsu.com/imprinthttp://ts.fujitsu.com/imprint.html This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
From: toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net] On Behalf Of Jeff Cleverley Sent: Friday, September 18, 2015 4:25 AM To: <Toasters@teaparty.netmailto:Toasters@teaparty.net> Subject: Cifs share access log
Greetings,
Is there a way to have the system log what users connect via cifs AND also show what share they connect to? This is a 7.3.2 system.
I've been trying various cifs options. I can see where it log who I am, and where I'm coming from, but not what I'm trying to access, or what share I mounted.
Some mystery deletes have been occurring so we are trying to track down who may be accessing that particular share. Ideally I want to know when they connect and disconnect at a minimum so we have an idea when they were there.
For now I just have a script checking cifs sessions and logging connections to the share to a file. I'd rather see it in messages or audit instead.
Thanks,
Jeff
-- Jeff Cleverley IT Engineer 4380 Ziegler Road Building 1, Dock 1 Fort Collins, Colorado 80525 970-288-4611
-- Jeff Cleverley IT Engineer 4380 Ziegler Road Building 1, Dock 1 Fort Collins, Colorado 80525 970-288-4611
-
Borzenkov, Andrei -
Jeff Cleverley -
Muhlestein, Mark