File server auditing is a must have process for all companies that rely on file servers to store their critical data and applications. Malicious and accidental modifications to files, permissions, file sharing settings can severely impact your organization. (C) Somewhere on the Internet.

I can not disagree with it 😃 I have no such goals, file audit is just another line of protection from users, who like to yell "WHERE IS MY LITTLE AND VERY IMPORTANT FILE ???". In this article I will tell how I setup file audit on samba for linux file server.

File audit on file server is very simple thing: It logs every user action on every file on the file server.

So you can view later what exactly happen. See log file example:

Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|opendir|ok|.
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|closedir|ok|
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|open|ok|r|file.txt
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|pread|ok|file.txt
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|close|ok|file.txt

Lets begin.

# Configuring Samba

I have samba-3.0.33 on Gentoo machine. File audit will be done using samba module full_audit.

Locate smb.conf, usually in /etc/samba/smb.conf

and add these lines to global section.

# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice

If to look careful at full_audit:success, it contains a lot events, this list may be cut a little bit, because on busy server it will generate a lots of junk.

full_audit:prefix = %u|%I|%S - adds additional useful information to audit log file

%u - User

%I - User IP address

%S - Server share name

for full list of substitutions see this page:

http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

section VARIABLE SUBSTITUTIONS

To each share where file audit is needed add this line:

<strong>vfs objects = full_audit</strong>

like this:

[public]
  comment = Public Stuff
  path = /home/samba/public
  public = yes
  writable = no
  write list = @staff
<strong> vfs object = full_audit </strong>

That's all about samba. So where all this audit logs are going now ? As you can see from these lines:

<strong>full_audit:facility = local5 full_audit:priority = notice</strong>

they are going to system logger (syslog).

# Configuring syslog

By default Gentoo uses syslog-ng, which on my opinion is MUCH better, comparing to syslogd daemon. But I will explain how to configure them both.

Configuring syslog-ng (Gentoo)

Locate file /etc/syslog-ng/syslog-ng.conf

Add these lines:

filter f_local5 {facility(local5);};
destination m_samba_audit { file("/var/log/samba/audit.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };

BEFORE line

log { source(src); destination(messages); };

This will tell syslog-ng to filter only LOCAL5 message and write them to

/var/log/samba/audit.log

and skip this audit records from being recorded in /var/log/messages

Configuring  rsyslogd (Ubuntu)

Create new file

touch /etc/rsyslog.d/00-samba-audit.conf

with content

local5.notice /var/log/samba/audit.log 
& ~

Configuring  syslogd

In standard configuration of syslogd there is a line in file syslog.conf : ``` *.*;auth,authpriv.none -/var/log/syslog ```

To filter audit messages away from main syslog file, change this line to:

*.*;local5,auth,authpriv.none           -/var/log/syslog

Add following line after

local5.notice /var/log/samba/audit.log

# Restaring

Restart samba

# /etc/init.d/samba restart

and your syslog version

Try to make some file changes via Samba in audit share and check /var/log/samba/audit.log, it should contain some records.

# Log rotation with logrotate

The last part, but not less important is to configure log rotation, not to end with FULL /var, or even worse / partition.

This setup is for syslog-ng, in case of syslogd change post rotate script to restart syslog.

Create new file /etc/logrotate.d/samba.audit

/var/log/samba/audit.log {
   weekly
   missingok
   rotate 7
   postrotate
      /etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
   endscript
   compress
   notifempty
}

References

  1. http://www.opennet.ru/base/net/samba_full_audit.txt.html
  2. The syslog-ng 3.0 Administrator Guide