User profile for user: BrionMcC
BrionMcC Author
User level: Level 1
0 points

Tracing user activity

We have a user who is inappropriately renaming folders on our servers. Although the user thinks he/she is being funny, this is not only causing problems with linked files but is sometimes crossing over the line into personal harassment of other users. Even after multiple warnings, it is still going on.

I need a way to identify who this user is and put stop this activity.

We run multiple Mac servers, XServe w/XRAID, G4's and G5's. We are running Mac OSX Server 10.3.9 and 10.4.10.

I have tried reviewing the logs but I haven't found anything. Maybe I don't know what I'm looking for. Please, if anyone has an idea or knows a method for identifying who has modified the folder names let me know.

Brion

Dual 2.5 MacPro, 2.16 MacBookPro, etc, etc..., Mac OS X (10.4.10)

Posted on Aug 21, 2007 8:01 AM

Reply
6 replies
User profile for user: MrHoffman
MrHoffman
Community+ 2025
User level: Level 10
145,067 points

Aug 21, 2007 9:47 AM in response to BrionMcC

Ok; first step is to create and send around and to require explicit acknowledgment of the site appropriate use of computers policy. Check with your legal-type folks here. Each user gets one of these.

Next step is to download and install the Common Criteria tools for Mac OS X for 10.3 and 10.4. You'll be enabling auditing, and the common criteria downloads include the audit tools and documentation.

You're probably not so interested in the Common Criteria itself. Just the tools. Particularly audit, auditreduce and praudit. You'll be looking at writes to /User, for instance.

Even though 10.4 does have ACLs, the ACL implementation doesn't appear to have a way to trigger an audit for a particular event or file access.

Somebody may know an easier way. Wading through auditing isn't going to be "fun"... Mayhap some sort of an Automator quietly connected onto the directory file(s) involved, if the target(s) of your gremlin are fairly consistent.
Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,404 points

Aug 21, 2007 11:23 AM in response to BrionMcC

Hi

Apart from Mr Hoffman’s suggestions you can also enable Access logging in Server Admin. Server Admin > AFP > Settings > Logging. Its pretty obvious what the settings will do once enabled. The log will track users by their IP address. All you have to do is map the IP address to the hardware and you have your user.

You could also investigate ARD’s generate reports feature.

Tony
Reply
User profile for user: BrionMcC
BrionMcC Author
User level: Level 1
0 points

Aug 27, 2007 7:33 AM in response to BrionMcC

Thanks for the replies.

I am looking in to all of the above ideas (ARD logs, Access logs & Common Criteria). It appears that each of them might be capable of catching someone once they are implemented by noting a changed file name and then reviewing who was logged in.

But just so I have a clear understanding - what I am getting here is that the OS does not actually record the event of the file name being modified or which user/IP modified it. Is this correct?

Sorry for my lack of formal knowledge. We are a small company (50 users) and don't usually have to deal with these more technical issues.

Thanks,

Brion
Reply
User profile for user: foilpan
foilpan
User level: Level 4
1,385 points

Aug 27, 2007 10:27 AM in response to BrionMcC

as far as i know, there's nothing built-in that will do what you want. the common criteria tools may do it, but i don't have any experience using them.

afp logs won't tell you much beyond file open/delete messages.

ard user history reports most likely won't give you anything useful.

in addition to using the common criteria tools, you may want to address the issue in person with everyone present. if you're a small company, that shouldn't be too difficult. in a non-threatening way, just tell people to stop making a mess.

also, if you're running server 10.4.x, you may be able to enable and tweak ACLs to prevent some of the damage you've experienced while still allowing people to work.
Reply
User profile for user: BrionMcC
BrionMcC Author
User level: Level 1
0 points

Aug 27, 2007 12:40 PM in response to BrionMcC

The truth is we have addressed this openly with the whole company before AND the CFO/HR person has gone desk to desk. This person just thinks he/she is cute but unfortunately he/she can be downright offensive. Fortunately we were able to remove a few of the changes before they were seen by people who could really have been hurt. It really has to stop.

What specifically are ACLs and where can I learn more about them?

Brion
Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,404 points

Aug 28, 2007 1:01 AM in response to BrionMcC

Hi

A good place to start would be here:

http://www.apple.com/support/manuals/macosxserver/

Specifically the File Services Admin 10.4 as well as the User Management Admin 10.4 Manuals.

In addition to these I would advise consulting Gerrit de Witt’s articles, which in my opinion are the best reference source. Start there first if you are interested in using and understanding any of the permissions models available in 10.4 Server. Click on this link as well as searching for his posts:

http://discussions.apple.com/thread.jspa?messageID=1535247

Tony
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Tracing user activity

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up