This document detail how to configure detailed auditing on CIFS shares, you will be able to audit every operation done by each user connecting to a certain share towards each file and directory starting from opening, creating, modifying, deleting and much more. That will help you in several areas, such as monitoring the activity of each user/application on the storage, detecting any suspicious activity and which user/application caused a certain data loss for example.
Our approach for such level of granular auditing is using Stackable VFS (Virtual File System) modules that samba passes all its request to access the file system to it
1. Configuring Samba:
- Using CLI or UI paste the following lines in Samba main configuration file [/etc/samba/smb.conf] under the [global] section.
# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod