Purpose

Auditing is a great way to track security-relevant information regarding your storage. A successful security auditing policy will help you deeply understand several aspects and answering a lot of questions, such as

Which user is accessing your storage the most?

How many users are accessing my storage each day?

What are the most used system calls on my system?

Who read, wrote, deleted or modified my file(s)

What are the most accessed files?

Is there any huge suspicious amount of failed logins?

Resolution

We support couple of methods based on your needs:

1- Using Linux Audit:

- Pros:

system wide service, so you can audit every single aspect
very rich output
You can log File systems [Local, NFS, CIFS] , System calls and much more

- Cons:

Huge amounts of log files, needs a separate partition
Output is hard to interpret as a syntax and from the size point of view
Needs a Centralized log management system for further log interpretation and deep understanding for the generated amount of logs
Uses higher system resources than the below method

2- Using Samba VFS:

- Pros:

Resources friendly
Very friendly output
Not generating a huge amount of log files

- Cons:

Only auditing Samba-based shares, so it will not provide an overall view about all system aspects

I- Linux Audit:

RedHat documentations are a great resource on how to configure Audit, but here you are a quick tips and nodes

1- You will need to start with a plan, what exactly you need to monitor and why.

2- Log files needs to be on a different partition [if not forwarding it to a management system]

3- You will need to tweak /etc/audit/auditd.conf based on your own auditing plan

4- At busy systems you might need to increase the Audit buffer

5- General rule of thumb when monitoring file systems, you will need a rule per pool, volume or even a directory [based on your needs] and you will need to decide what you will need to audit: reads, writes, executes or attribute changes. Mainly it will look like the below line:

auditctl -w path_to_file -p permissions -k key_name

6- Try using key names for better searching

7- You will need to revisit your policy for much more optimization excluding the heavy repeated system calls [if useless], excluding heavily read files or whatever seems to be useless for you based on your plan.

8- The below command is very useful in the above step, for example we can check the most used executable:

Then you can exclude the desire command or whatever using an exclude rule in your auditd rules files

II- Samba VFS:

[SoftNAS KB]: Samba Shares audit logging is illustrating in details how to use Stackable VFS (Virtual File System) to audit samba

Update History

05-26-2017	Template Created

Browser not supported