File server auditing is a must have process for all companies that rely on file servers to store their critical data and applications. Malicious and accidental modifications to files, permissions, file sharing settings can severely impact your organization. (C) Somewhere on the Internet.
I can not disagree with it 😃 I have no such goals, file audit is just another line of protection from users, who like to yell "WHERE IS MY LITTLE AND VERY IMPORTANT FILE ???". In this article I will tell how I setup file audit on samba for linux file server.
File audit on file server is very simple thing: It logs every user action on every file on the file server.
So you can view later what exactly happen. See log file example:
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|opendir|ok|.
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|closedir|ok|
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|open|ok|r|file.txt
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|pread|ok|file.txt
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|close|ok|file.txt
Lets begin.
# Configuring Samba
I have samba-3.0.33 on Gentoo machine. File audit will be done using samba module full_audit.
Locate smb.conf, usually in /etc/samba/smb.conf
and add these lines to global section.
# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice
If to look careful at full_audit:success, it contains a lot events, this list may be cut a little bit, because on busy server it will generate a lots of junk.
full_audit:prefix = %u|%I|%S - adds additional useful information to audit log file
%u - User%I - User IP address
%S - Server share name
for full list of substitutions see this page:
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
section VARIABLE SUBSTITUTIONS
To each share where file audit is needed add this line:
<strong>vfs objects = full_audit</strong>
like this:
[public]
comment = Public Stuff
path = /home/samba/public
public = yes
writable = no
write list = @staff
<strong> vfs object = full_audit </strong>
That's all about samba. So where all this audit logs are going now ? As you can see from these lines:
<strong>full_audit:facility = local5 full_audit:priority = notice</strong>
they are going to system logger (syslog).
# Configuring syslog
By default Gentoo uses syslog-ng, which on my opinion is MUCH better, comparing to syslogd daemon. But I will explain how to configure them both.
Configuring syslog-ng (Gentoo)
Locate file /etc/syslog-ng/syslog-ng.confAdd these lines:
filter f_local5 {facility(local5);};
destination m_samba_audit { file("/var/log/samba/audit.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };
BEFORE line
log { source(src); destination(messages); };
This will tell syslog-ng to filter only LOCAL5 message and write them to
/var/log/samba/audit.log
and skip this audit records from being recorded in /var/log/messages
Configuring rsyslogd (Ubuntu)
Create new filetouch /etc/rsyslog.d/00-samba-audit.conf
with content
local5.notice /var/log/samba/audit.log
& ~
Configuring syslogd
In standard configuration of syslogd there is a line in file syslog.conf : ``` *.*;auth,authpriv.none -/var/log/syslog ```To filter audit messages away from main syslog file, change this line to:
*.*;local5,auth,authpriv.none -/var/log/syslog
Add following line after
local5.notice /var/log/samba/audit.log
# Restaring
Restart samba
# /etc/init.d/samba restart
and your syslog version
Try to make some file changes via Samba in audit share and check /var/log/samba/audit.log, it should contain some records.
# Log rotation with logrotate
The last part, but not less important is to configure log rotation, not to end with FULL /var, or even worse / partition.
This setup is for syslog-ng, in case of syslogd change post rotate script to restart syslog.
Create new file /etc/logrotate.d/samba.audit
/var/log/samba/audit.log {
weekly
missingok
rotate 7
postrotate
/etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
endscript
compress
notifempty
}