Monitor critical actions

sib-jl · June 20, 2019, 2:41pm

Hello together,

I have the same problems with activity log of nextcloud. We are testing nextcloud now for using in our enterprise. For that we must log activities who are risks for our business, like sharing datas of our customers for example. That is possible in nextcloud. But we regonized that the normal user can change the parameters of logging his own acitivities. This ist unsafe. So my question is: How it is possible to prevent, that user can change their own activity log parameters.

Best regards
J. Lichtscheidel

Greetings from Germany
I’m sorry for my bad English

Original text in German if someone here understand German:
Wir testen gerade einen möglichen Nutzen von Nextcloud für unser Unternehmen. Hierzu möchten wir bestimmte Aktivitäten protokollieren und überwachen. Dies lässt sich in Nextcloud zwar machen. Jedoch haben wir festgestellt, dass die Benutzer in den eigenen Einstellungen die Protokollierung deaktivieren können. Dies ist uns zu unsicher. Daher meine Frage: Wie kann verhindert werden, dass Benutzer Änderungen vornehmen können zur Protokollierung ihrer eigenen Aktivitäten.

Mit freundlichen Grüße
J. Lichtscheidel

Rickenbacker · June 20, 2019, 9:05pm

I don’t believe this is correct, “normal” users can’t change what is being logged, only someone who is a member of the admin group could make such changes.
It is of course possible to make configuration changes if you have access to that part of the filesystem where the configuration files are held, but that is the case with any system.
If you are concerned about the logs being modified, you will need to store them in a system where they can no longer be modified. An example of such a system is Splunk. An app exists that will visualise a lot of the information held in the Nextcloud logs. See here:
https://splunkbase.splunk.com/app/3398/

mwalpole · June 20, 2019, 10:25pm

Hi

I can not see the activity entry when logged in as admin when a users file has been shared via email. Are you able to see this?

Thanks

Mark

tflidd · June 21, 2019, 7:10am

Admin audit log is something you want to check out probably:
https://docs.nextcloud.com/server/16/admin_manual/configuration_server/logging_configuration.html?#admin-audit-log

sib-jl · June 21, 2019, 9:31am

Hello,
normal user who are not in admin-Group and in no Groupadmins are be able to go to

settings
activity
and then they can change the checkboxes
So I think, you are not right. They can modify log settings. But this is my problem. They shouldn’t do that. It should bei not allowed.
We must solve this problem. Otherwise we can not use nextcloud.

Best regards

sib-jl · June 21, 2019, 9:40am

Hi,
there are two options to share data with links.

at first with the link for sharing with persons who are users in nextcloud (link upstairs right)
second with the link for sharing witz persons woh are not users in nextcloud (add link)

Second option I can see entries, first option not. But I think that is ok.

Regards
Jochen

Rickenbacker · June 21, 2019, 7:55pm

I have just tried this. I removed the check box for " A new file or folder has been created" and for " A file or folder has been deleted", created and then deleted a folder. I then also removed the check box for “List your own actions in the stream” and again created and deleted a folder.
In all cases a log entry audit.log were create for each action (for creating a folder two log entries as Nextcloud creates both a “File created” and a “File written” log entry.