This document detail how to configure detailed auditing on CIFS shares, you will be able to audit every operation done by each user connecting to a certain share towards each file and directory starting from opening, creating, modifying, deleting and much more. That will help you in several areas, such as monitoring the activity of each user/application on the storage, detecting any suspicious activity and which user/application caused a certain data loss for example.
Our approach for such level of granular auditing is using Stackable VFS (Virtual File System) modules that samba passes all its request to access the file system to it
- Using CLI or UI paste the following lines in Samba main configuration file [/etc/samba/smb.conf] under the [global] section.
# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice
- you can arrange the full_audit:prefix as you want, for more details refer to the following link:
- for more details regarding the auditable operations in full_audit:success refer to the following link:
The previous configurations example will lead at the end to the following form:
- 2. Samba share configuration:
- You will need to add the following per every CIFS shares that you need to get audit:
vfs objects = full_audit
- Restart Samba:
service smb restart
- You will need to add the log file where samba will be auditing in, by adding the following line in /etc/rsyslog.conf
- service rsyslog restart
And finally check your log file [in our example /var/log/samba-audit.log ]
Do not forget that this will generate a big amount of logs, so you would better add the log file in different volume and customize your auditing to the operations that you really care about.