Topic: Deleted Files

[Markt606]

Someone has deleted a number of random files on an iBay. I suspect they are doing this by mistake.

Is there any way I can find out who has deleted the files?

[Stefano]

only if you enabled https://wiki.contribs.org/DB_Variables_Configuration#Samba_per_i-bay_settings_.28smbd.29

[Markt606]

Thanks. I don't have that enabled. I will have a look at it and try turning it on.

Is it he Audit variable that needs to be enabled there? Once it is on how would I view the results?

[Stefano]

see https://forums.contribs.org/index.php/topic,51121.msg259019.html#msg259019

[Markt606]

I have enabled auditing and have also enabled Recycle Bin but I cant see the results of either one?

Do I have to restart the server to activate them?

thx

[Jean-Philippe Pialasse]

I have enabled auditing and have also enabled Recycle Bin but I cant see the results of either one?

Do I have to restart the server to activate them?

thx

signal-event ibay-modify
should be enough as what you need to restart is samba

[Markt606]

Im still having some problems with this.

I have an IBay called "cont_dept"

so I have gone in as root and entered the following:

    db account setprop cont_dept Audit enabled
    signal-event ibay-modify cont_dept

under /var/log/samba I can see a file called samba_audit  but its empty.

I have attached a couple of screenshots. Can you see if I am doing something wrong please?

Thank you

[mmccarn]

You could check in /etc/samba/smb.conf to make sure that the audit logging entries have been created.

I did this:

Code: [Select]

cp /etc/samba/smb.conf /etc/samba/smb.conf-
db accounts setprop Primary Audit enabled
signal-event ibay-modify Primary
diff -u /etc/samba/smb.conf /etc/samba/smb.conf-

The results looked like this (sorry - I 'diffed' them in the wrong order, so the new content is marked with a minus):

Code: [Select]

diff -u /etc/samba/smb.conf /etc/samba/smb.conf-
--- /etc/samba/smb.conf 2018-02-03 07:51:52.966527426 -0500
+++ /etc/samba/smb.conf- 2018-02-03 07:41:50.807661212 -0500
@@ -153,12 +153,6 @@
 
 
 
-vfs objects = full_audit
-  full_audit:priority=notice
-  full_audit:success=opendir mkdir rmdir open write rename unlink
-  full_audit:failure=connect
-  full_audit:facility=local5
-  full_audit:prefix=%u|%I|%S
 (with the new content in the section related to '[Primary]').

As soon as I accessed the Primary i-bay using samba from my macbook, the audit log was populated:

Code: [Select]

tail /var/log/samba/tail samba_audit
Feb  3 07:52:13 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb  3 07:52:13 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb  3 07:52:13 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb  3 07:52:13 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb  3 07:52:18 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb  3 07:52:18 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb  3 07:52:18 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb  3 07:52:23 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb  3 07:52:23 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.
Feb  3 07:52:23 office smbd[27499]: mmccarn|192.168.200.110|Primary|opendir|ok|.

The same procedure didn't work on another "ibay" -- until I realized that the other ibay was actually a user account.

Adding the 'full_audit' directives shown above to the [homes] section of /etc/samba/smb.conf, then restarting smbd (sv t smbd) started generating samba_audit entries when I access my user folder.  You'd need a custom copy of /etc/samba/smb.conf/50homes if you wanted to enable audit logging on user folders persistently.

[MSmith]

Just to clarify, please, no offense intended ... turning on either Recycle Bin or the Linux equivalent of "shadow copy" at this point will NOT repeat NOT allow you to recover files deleted in the past.