Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Nextcloud
  3. Audit admin access to Nextcloud user files

Audit admin access to Nextcloud user files

Scheduled Pinned Locked Moved Nextcloud
adminauditmonitoring
8 Posts 4 Posters 2.0k Views 4 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ShaiS Offline
      ShaiS Offline
      Shai
      wrote on last edited by Shai
      #1

      I'd like to not use Nextcloud's encryption-at-rest.

      So I would love to be able to provide users with server logs that would show anytime a file was accessed by someone who did not own it or have share-access to it.

      In other words, I want to do more than promise, "I won't access user files."

      Ideas? I know there is a Linux program Auditd. I wanted to get other folks perspectives before I dive into that.

      girishG subvenS 2 Replies Last reply
      1
      • ShaiS Shai

        I'd like to not use Nextcloud's encryption-at-rest.

        So I would love to be able to provide users with server logs that would show anytime a file was accessed by someone who did not own it or have share-access to it.

        In other words, I want to do more than promise, "I won't access user files."

        Ideas? I know there is a Linux program Auditd. I wanted to get other folks perspectives before I dive into that.

        girishG Do not disturb
        girishG Do not disturb
        girish
        Staff
        wrote on last edited by
        #2

        @shai said in Audit admin access to Nextcloud user files:

        So I would love to be able to provide users with server logs that would show anytime a file was accessed by someone who did not own it or have share-access to it.

        Trying to understand your question. Are you referring to users somehow accessing the files via SSH'ing into your server? If not, how can someone access files they did not own?

        ShaiS 1 Reply Last reply
        0
        • ShaiS Shai

          I'd like to not use Nextcloud's encryption-at-rest.

          So I would love to be able to provide users with server logs that would show anytime a file was accessed by someone who did not own it or have share-access to it.

          In other words, I want to do more than promise, "I won't access user files."

          Ideas? I know there is a Linux program Auditd. I wanted to get other folks perspectives before I dive into that.

          subvenS Offline
          subvenS Offline
          subven
          wrote on last edited by subven
          #3

          @shai said in Audit admin access to Nextcloud user files:

          I'd like to not use Nextcloud's encryption-at-rest.

          You won't be able to protect unencrypted files even if you promise. Think of stuff like the backup process (or user) reading the file. As a server admin there will always be a way to access these files. The feature you want should be requested upstream since this cannot be solved within cloudron.

          Note that Nextcloud admins will always be able to impersonate users.

          You have to trust your administrators and if you don't want to rely on promises, secure them with a contract. This is the standard procedure.

          In most cases Cloudron "User Manager" + Nextcloud "Group administrator" roles are sufficient so you don't have to give someone SSH/admin access.

          ShaiS 1 Reply Last reply
          3
          • subvenS subven

            @shai said in Audit admin access to Nextcloud user files:

            I'd like to not use Nextcloud's encryption-at-rest.

            You won't be able to protect unencrypted files even if you promise. Think of stuff like the backup process (or user) reading the file. As a server admin there will always be a way to access these files. The feature you want should be requested upstream since this cannot be solved within cloudron.

            Note that Nextcloud admins will always be able to impersonate users.

            You have to trust your administrators and if you don't want to rely on promises, secure them with a contract. This is the standard procedure.

            In most cases Cloudron "User Manager" + Nextcloud "Group administrator" roles are sufficient so you don't have to give someone SSH/admin access.

            ShaiS Offline
            ShaiS Offline
            Shai
            wrote on last edited by
            #4

            @subven

            You won't be able to protect unencrypted files even if you promise.

            It's not so much about protection that I'm after but rather making Admin access transparent.

            Note that NextCloud admins will always be able to impersonate users

            Yes, but I'm imagining that would trigger a log entry that would be made available to instance users.

            The feature you want should be requested upstream since this cannot be solved within cloudron.

            Agreed.

            You have to trust your administrators.

            We should not have to trust administrators. I hope the goal of NextCloud is to be a true alternative to Google cloud apps. If we are just asking folks to trust one administrator instead of another administrator then NextCloud becomes less compelling, in my opinion.

            1 Reply Last reply
            0
            • girishG girish

              @shai said in Audit admin access to Nextcloud user files:

              So I would love to be able to provide users with server logs that would show anytime a file was accessed by someone who did not own it or have share-access to it.

              Trying to understand your question. Are you referring to users somehow accessing the files via SSH'ing into your server? If not, how can someone access files they did not own?

              ShaiS Offline
              ShaiS Offline
              Shai
              wrote on last edited by
              #5

              @girish

              Trying to understand your question. Are you referring to users somehow accessing the files via SSH'ing into your server? If not, how can someone access files they did not own?

              My interest is in auditing admin access and making those audits transparent.

              girishG 1 Reply Last reply
              1
              • ShaiS Shai

                @girish

                Trying to understand your question. Are you referring to users somehow accessing the files via SSH'ing into your server? If not, how can someone access files they did not own?

                My interest is in auditing admin access and making those audits transparent.

                girishG Do not disturb
                girishG Do not disturb
                girish
                Staff
                wrote on last edited by
                #6

                @shai I see, I guess this is more a feature request for nextcloud since only the app knows when a doc was accessed and by whom. Maybe you can try their forum - https://help.nextcloud.com/

                ShaiS 1 Reply Last reply
                2
                • girishG girish

                  @shai I see, I guess this is more a feature request for nextcloud since only the app knows when a doc was accessed and by whom. Maybe you can try their forum - https://help.nextcloud.com/

                  ShaiS Offline
                  ShaiS Offline
                  Shai
                  wrote on last edited by
                  #7

                  @girish

                  Will do. Thx for the link.

                  murgeroM 1 Reply Last reply
                  0
                  • ShaiS Shai

                    @girish

                    Will do. Thx for the link.

                    murgeroM Offline
                    murgeroM Offline
                    murgero
                    App Dev
                    wrote on last edited by
                    #8

                    @shai There may also be a plugin that does this too - it's worth trying to search on Nextcloud's own store-front for plugins.

                    --
                    https://urgero.org
                    ~ Professional Nerd. Freelance Programmer. ~

                    1 Reply Last reply
                    0
                    Reply
                    • Reply as topic
                    Log in to reply
                    • Oldest to Newest
                    • Newest to Oldest
                    • Most Votes


                      • Login

                      • Don't have an account? Register

                      • Login or register to search.
                      • First post
                        Last post
                      0
                      • Categories
                      • Recent
                      • Tags
                      • Popular
                      • Bookmarks
                      • Search