diff --git a/samba/autdit.pl b/samba/autdit.pl new file mode 100644 index 0000000..f4bf010 --- /dev/null +++ b/samba/autdit.pl @@ -0,0 +1,78 @@ +#!/usr/bin/perl -w + +use warnings; +use strict; +use Data::Dumper; + +my $users = {}; +my $machines = {}; +my $operations = { + connect => 0, + disconnect => 0, + chdir => 0, + open_read => 0, + open_write => 0, + close => 0, + rename => 0, + unlink => 0, + mkdir => 0, + rmdir => 0 +}; +my $files = {}; +my $statuses = { + success => 0, + failure => 0 +}; + +my $re_date = qr/(?\w{3})\s(?\d{1,2})\s(?[\d+]{1,2}):(?\d{1,2}):(?\d{1,2})/; +my $re_hostname = qr/\w[\w\-]+/; +my $re_user = qr/\w[\w\-]+/; +my $re_op = qr/connect|disconnect|chdir|open|close|rename|unlink|mkdir|rmdir/; +my $re_path = qr{/?(\.|([^\|]/?)*)}; +my $re_ip = qr/(\d{1,3}\.){3}\d{1,3}/; +my $re_share = qr/\w[\w\-]+/; +my $re_status = qr/ok|fail\s+[^\|]+/; + +while (){ + # Jan 13 03:50:42 contis smbd[27251]: pdurant|192.168.137.117|desk-magasin|tools|close + next unless m/^$re_date\s+$re_hostname\s+smbd\[\d+\]:\s+(?$re_user)\|(?$re_ip)\|(?$re_hostname)\|(?$re_share)\|(?$re_op)\|(?$re_status)\|/; + my $date = $+{date}; + my $user = $+{user}; + my $ip = $+{ip}; + my $machine = $+{machine}; + my $share = $+{share}; + my $operation = $+{operation}; + my $status = $+{status}; + my $open_mode; + my $file; + my $new_name; + if ($operation eq 'open'){ + m/(r|w)\|(?$re_path)$/; + $open_mode = $1; + $file = $+{file}; + if ($open_mode eq 'r'){ + $operations->{open_read}++; + } else { + $operations->{open_write}++; + } + } elsif ($operation eq 'rename') { + m/(?$re_path)\|(?$re_path)$/; + $file = $+{file}; + $new_name = $+{new_name}; + $operations->{rename}++; + } else { + m/(?$re_path)$/; + $file = $+{file}; + $operations->{$operation}++; + } + $machines->{$ip} = 1; + $users->{$user} = 1; + $files->{$file} = 1; + if ($status eq 'ok'){ + $statuses->{success}++; + } else { + $statuses->{failure}++; + } +} + +print "Sucess : $statuses->{success}\nFailure : $statuses->{failure}\n"; diff --git a/samba/sample.txt b/samba/sample.txt new file mode 100644 index 0000000..ac0724d --- /dev/null +++ b/samba/sample.txt @@ -0,0 +1,13 @@ +Jan 13 03:50:42 contis smbd[27251]: pdurant|192.168.137.117|desk-magasin|tools|chdir|ok|chdir|/home/e-smith/files/shares/tools/files +Jan 13 03:50:42 contis smbd[27251]: pdurant|192.168.137.117|desk-magasin|tools|close|ok|signatures/pdurant +Jan 13 03:50:42 contis smbd[27251]: pdurant|192.168.137.117|desk-magasin|tools|disconnect|ok|tools +Jan 13 04:45:12 contis smbd[9552]: port-guy2_|192.168.137.69|port-guy2|acme_exploi_maint|chdir|fail (Permission denied)|chdir|/home/e-smith/files/shares/acme_exploi_maint/files +Jan 13 05:46:40 contis smbd[30248]: alicia|192.168.137.110|stm2012|acme_report_cial|connect|ok|acme_report_cial +Jan 13 06:31:46 contis smbd[27799]: assistlogistic3|192.168.137.29|port-verom|tools|open|ok|r|001conf.bat +Jan 13 06:40:26 contis smbd[27733]: assistlogistic3|192.168.137.29|port-verom|acme_env_stm|open|ok|w|CARTE ADR ABADI M..pdf +Jan 13 06:40:27 contis smbd[27733]: port-verom_|192.168.137.29|port-verom|acme_env_stm|connect|ok|acme_env_stm +Jan 13 07:30:35 contis smbd[19305]: respdeee|192.168.137.71|port-pascalp|acme_metaux|unlink|ok|CORONAVIRUS/C84E6727.tmp +Jan 13 07:30:34 contis smbd[19305]: respdeee|192.168.137.71|port-pascalp|acme_metaux|rename|ok|CORONAVIRUS/D0A703E.tmp|CORONAVIRUS/EFFECTIFS METAUX CORONAVIRUS 30 AVRIL + 2020.xlsx +Jan 13 08:16:58 contis smbd[11611]: pdurant|192.168.137.106|port-dylan|portail_achat|mkdir|ok|Dossier Commande Achat - Reception/Nouveau dossier +Jan 13 08:46:37 contis smbd[28263]: vanessa|192.168.136.192|port-vanessab|fact|rmdir|ok|6 - PARAPHEUR/DEMANDES DE PAIEMENTS/12 01 2021