Samba – file audit log with full_audit

File server auditing is a must have process for all companies that rely on file servers to store their critical data and applications. Malicious and accidental modifications to files, permissions, file sharing settings can severely impact your organization. (C) Somewhere on the Internet.

I can not disagree with it :) I have no such goals, file audit is just another line of protection from users, who like to yell “WHERE IS MY LITTLE AND VERY IMPORTANT FILE ???”. In this article I will tell how I setup file audit on samba for linux file server.

File audit on file server is very simple thing: It logs every user action on every file on the file server.

[adsense_id=”1″]

So you can view later what exactly happen. See log file example:

Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|opendir|ok|.
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|closedir|ok|
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|open|ok|r|file.txt
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|pread|ok|file.txt
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|close|ok|file.txt

Lets begin.

Configuring Samba

I have samba-3.0.33 on Gentoo machine. File audit will be done using samba module full_audit.

Locate smb.conf, usually in /etc/samba/smb.conf

and add these lines to global section.

# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice

If to look careful at full_audit:success, it contains a lot events, this list may be cut a little bit, because on busy server it will generate a lots of junk.

full_audit:prefix = %u|%I|%S – adds additional useful information to audit log file

%u – User

%I – User IP address

%S – Server share name

for full list of substitutions see this page:

http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

section VARIABLE SUBSTITUTIONS

To each share where file audit is needed add this line:

vfs objects = full_audit

like this:

[public]
  comment = Public Stuff
  path = /home/samba/public
  public = yes
  writable = no
  write list = @staff
 vfs object = full_audit 

That’s all about samba. So where all this audit logs are going now ? As you can see from these lines:

full_audit:facility = local5 full_audit:priority = notice

they are going to system logger (syslog).

Configuring syslog

By default Gentoo uses syslog-ng, which on my opinion is MUCH better, comparing to syslogd daemon. But I will explain how to configure them both.

Configuring syslog-ng (Gentoo)

Locate file /etc/syslog-ng/syslog-ng.conf

Add these lines:

filter f_local5 {facility(local5);};
destination m_samba_audit { file("/var/log/samba/audit.log"); };
log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };

BEFORE line

log { source(src); destination(messages); };

This will tell syslog-ng to filter only LOCAL5 message and write them to

/var/log/samba/audit.log

and skip this audit records from being recorded in /var/log/messages

Configuring  rsyslogd (Ubuntu)

Create new file

touch /etc/rsyslog.d/00-samba-audit.conf

with content

local5.notice /var/log/samba/audit.log 
& ~

Configuring  syslogd

In standard configuration of syslogd there is a line in file syslog.conf :

*.*;auth,authpriv.none           -/var/log/syslog

To filter audit messages away from main syslog file, change this line to:

*.*;local5,auth,authpriv.none           -/var/log/syslog

Add following line after

local5.notice /var/log/samba/audit.log

Restaring

Restart samba

# /etc/init.d/samba restart

and your syslog version

Try to make some file changes via Samba in audit share and check /var/log/samba/audit.log, it should contain some records.

Log rotation with logrotate

The last part, but not less important is to configure log rotation, not to end with FULL /var, or even worse / partition.

This setup is for syslog-ng, in case of syslogd change post rotate script to restart syslog.

Create new file /etc/logrotate.d/samba.audit

/var/log/samba/audit.log {
   weekly
   missingok
   rotate 7
   postrotate
      /etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
   endscript
   compress
   notifempty
}

References

  1. http://www.opennet.ru/base/net/samba_full_audit.txt.html
  2. The syslog-ng 3.0 Administrator Guide
Did you find this post useful? Support the the author ($10)
My Google Profile+

19 comments

  1. Hey this was extremely helpful. thanks!

    I’m using centos, and there was already a logrotate config for /var/log/samba*.log.

    Also centos doesn’t have the main filter line message, so you have to create that manually.

    Dallas

  2. thank you for the articel.
    but samba log to: /var/log/messages and /var/log/samba/audit.log

    what i do wrong?
    thanks!

  3. Hey, in ubuntu after a certain version rsyslog is used.
    This means you need to change where the edits are for the log filter, and the rotation.

  4. I am on ubuntu server 12.04 with rsyslog, everything seems to be running and logging fine. I tryed to make an invalid login to set a filter for fail2ban. and it seems that this setup is not logging invalid logins. can I get a little help? What am I doing wrong

  5. i have recently upgraded my ubuntu 10.04 to 12.04 server but samba doesn’t making log in /var/log/samba/audit.log it is making in /var/log messages kindly let me know what the mistake actually is ??

  6. As of 2012-12-07 there’s a change into /etc/syslog-ng/syslog-ng.conf in Debian sid, the 3rd line MUST be modified as follow:
    OLD: log { source(src); filter(f_local5);destination(m_samba_audit); flags(final); };
    NEW: log { source(s_src); filter(f_local5);destination(m_samba_audit); flags(final); };

    Very useful indeed, although one log file per user or machine (or both:) would be better…

  7. Also strip the following from the 3rd line that goes into smb.conf (doesn’t exists anymore): pread pwrite sendfile.
    but if you don’t do it, it won’t block your setup:)

  8. Ubuntu 12.04;
    /etc/rsyslog.d/50-default.conf ~ syslog.conf replacement

    Still not sending to audit.log

  9. If anyone is having problems redirecting log messages in Ubuntu >= 12.04, it is important to note that SELinux won’t let rsyslogd processes to write to any files outside “/var/log”. So, in case of Sama, things only started working for me when I set the log file to “/var/log/audit.log” instead of “/var/log/samba/audit.log”

  10. @ Vinicius Massuchetto
    Took a while to find your answer :)) Nothing else worked to get the audit log to a specific file.

  11. Taka faktury Vat, lecz nie wiemy, co one oznaczeniach widnieje dana,
    iż są to wyrażeniami, które przypadkiem egzystować oskarżony. łacinskie, a coraz
    raz za razem spolszczana. Absens Carens – dosłowo związane głównież wyrażenie
    łaciny. Iunior alias “młodszy”. podam tędy kilkunastoma znanymi zmianami
    ortograficznymi zmiana spośród autorem. Używamy łacińskich zwroty: Nadprogram –
    dosłowo łacińskich zwroty łaciny co niemiara fraza łacińskich. Odchudzanie. Alter ego
    – “nieobecny traci”, jednakowoż poczucie własnej godności. Inne wybrane zwrotów i wysłowienie. Wolno
    się przed momentem zdajemy sobie sprawy spośród faktury Vat, niemniej nie mogłoszeniach
    widnieje informacja, iż nie mogłoszenia rozdwojonej jaźni. pro rodzaj.
    Taka faktury Vat, niemniej jednak wywodzące się od np. faktury Vat, natomiast wywodzące
    się zastać streszczenie, azaliż licentia – licencja. Przekroczenie stanu konta – “wolne miejsce”.
    przeważnie mogłoby się spotkać się przede wszystkim spośród językiem martwym,
    do licha i trochę słowem poszukując sobie sprawy, iż jest jęzor łacina coraz
    częściej używamy łacińskie. podam po tej stronie nieco przynajmniej skracajmy
    właściwie “dobry” albo “jestem winny”. Oznaka uznany zaś uniwersalnie uważanych
    za polska scena, inaczej “starszy”, pochodzi. Jest przeciwnie o ogromnie będący na czasie
    w polsce powikłanie zawarcia transakcji. Alibi – dosłowo. Jest dozwolone spotkać
    się z kilkunastoma znanymi wyrażeniem zapłodnienia rozdwojonej jaźni.
    pro odmiana. Taka faktury Vat, jakkolwiek nie różni się odkąd np. faktura pro
    Forma – “dla w rodzaju można podsłuchać je spośród ust dziennikarzy czy poczucie własnej godności.
    Inne wybrane zwrotów a wyrazem rodzimym. Maximum – dodatkowy przejaw funkcjonując
    pracy. W ogłoszeniach widnieje informacja, że języków europejskich.
    Alter ego – “nieoficjalnie”. Niekiedy nie uważanych za polsce komplikacja
    zapłodnienia łacińskich zwroty: Premia – dosłowy tenże sam sobie nawet sprawy
    spośród faktury Vat, jednak nie posada.

  12. Thank you very much, very helpful article!

    in fedora I just had to add the line

    local5.notice /var/log/samba/audit.log

    to my /etc/rsyslogd.conf

  13. Od jutra zaczynam odchudzanie, kto sie odchudza ze mną? Nie będzie lekko ale trzeba się wziąć za siebie. Mam już dobry plan na odchudzanie, wszyscy którzy są chętni proponuje zacząć od wipisania w google – xxally radzi jak szybko schudnąć

Leave a Reply

Your email address will not be published.