× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

ReadyNAS Auditing - Logs showing root user actions

tiborszabo
Star
Star
‎2019-09-20 03:38 AM
‎2019-09-20 03:38 AM

ReadyNAS Auditing - Logs showing root user actions

Hi guys,

 

I recently updated a RN316 to 6.10.1, which included long overdue file auditing logs.

We can now check who is writing and deleting which folders / files on the server. Really great to have.

 

I am however seeing an issue where some of the file and folder actions are attributed to a user simply named "root", with no valid username or IP address specified. They are valid delete / write actions as well.

This means that I cannot track any of those file actions, since I have no clue who "root" is. I have setup each PC / Mac in the company with their own specific user (not root), so this is a bit of a strange one...

 

Any ideas?

Many thanks for assistance in advance 🙂

 

 

Model: RN31600|ReadyNAS 300 Series 6- Bay (Diskless)
Message 1 of 7
0 Kudos
Reply
StephenB
Guru Guru
Guru
‎2019-09-20 08:50 AM
‎2019-09-20 08:50 AM

Re: ReadyNAS Auditing - Logs showing root user actions

root is a built-in account (as in all linux systems).  So this is likely coming from the NAS system software (or maybe something else installed on the NAS).

 

Is root operating on files in the shares?  Or just in the OS partition?  Can you post a snippet of what you are seeing?

Message 2 of 7
0 Kudos
Reply
tiborszabo
Star
Star
‎2019-09-23 02:04 AM
‎2019-09-23 02:04 AM

Re: ReadyNAS Auditing - Logs showing root user actions

Thanks StephenB,

 

Please see attached screenshot for some sample file activity from the root account.

It is acting in the main server data folder - I have erased the filenames for privacy purposes.

It also only appears during working hours when other user actions are being logged.

 

Any ideas?

Message 3 of 7
0 Kudos
Reply
StephenB
Guru Guru
Guru
‎2019-09-23 03:19 AM
‎2019-09-23 03:19 AM

Re: ReadyNAS Auditing - Logs showing root user actions

@tiborszabo wrote:

 

Any ideas?

Not many without the file names.

 

One possibility is that autodefrag is kicking in on the share(s).  Antivirus is also possible I guess.  Check to see if the files are still present.

 

Perhaps download the full log zip file, and look for system.log and kernel.log entries in the time window near the audits.

 

 

Message 4 of 7
0 Kudos
Reply
tiborszabo
Star
Star
‎2019-10-03 06:51 AM
‎2019-10-03 06:51 AM

Re: ReadyNAS Auditing - Logs showing root user actions

Thanks StephenB.

 

Autodefrag only runs on the weekend, and antivirus is disabled.

The files being affected are work files - i.e. company data that is accessed by other users.

 

I'll try the full log option you suggested.

Message 5 of 7
0 Kudos
Reply
StephenB
Guru Guru
Guru
‎2019-10-03 07:07 AM
‎2019-10-03 07:07 AM

Re: ReadyNAS Auditing - Logs showing root user actions

Maybe also change the NAS admin password from the web UI (which will also change the root password).

Message 6 of 7
0 Kudos
Reply
tiborszabo
Star
Star
‎2020-02-27 01:05 PM
‎2020-02-27 01:05 PM

Re: ReadyNAS Auditing - Logs showing root user actions

An update on this one guys.

 

I discovered that the "root" entries in my auditing logs were actually coming from Macs that were working on the NAS, where the NAS had been saved in the Mac keychain as an SMB or AFP share, but without credentials - almost like a corrupt entry in the Mac keychain.

 

Erasing these erroneous SMB / AFP password entries in the keychain, and then logging in again with the proper user credentials has sorted the issue out.

Message 7 of 7
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 6 replies
  • ‎2019-09-20 03:38 AM
  • 2256 views
  • 0 kudos
  • 2 in conversation
Announcements