Purpose
This document detail how to configure detailed auditing on CIFS shares, you will be able to audit every operation done by each user connecting to a certain share towards each file and directory starting from opening, creating, modifying, deleting and much more. That will help you in several areas, such as monitoring the activity of each user/application on the storage, detecting any suspicious activity and which user/application caused a certain data loss for example.
Our approach for such level of granular auditing is using Stackable VFS (Virtual File System) modules that samba passes all its request to access the file system to it
Steps
1- Configuring Samba:
- Using CLI or UI paste the following lines in Samba main configuration file [/etc/samba/smb.conf] under the [global] section.
# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice
- you can arrange the full_audit:prefix as you want, for more details refer to the following link:
...
Do not forget that this will generate a big amount of logs, so you would better add the log file in different volume and customize your auditing to the operations that you really care about.
Update History
| 05-26-2017 | Template Created |
| |
...