[SoftNAS KB]: Samba Shares audit logging

Owned by Admin
Last updated: Sept 20, 2021 by Tom Sheffield (Unlicensed)

Purpose

This document detail how to configure detailed auditing on CIFS shares, you will be able to audit every operation done by each user connecting to a certain share towards each file and directory starting from opening, creating, modifying, deleting and much more. That will help you in several areas, such as monitoring the activity of each user/application on the storage, detecting any suspicious activity and which user/application caused a certain data loss for example.

Our approach for such level of granular auditing is using Stackable VFS (Virtual File System) modules that samba passes all its request to access the file system to it

Steps

 

  • 1.      Configuring Samba:

-          Using CLI or UI paste the following lines in Samba main configuration file [/etc/samba/smb.conf] under the   [global] section.

# Audit settings

full_audit:prefix = %u|%I|%S

full_audit:failure = connect

full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod

fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath

full_audit:facility = local5

full_audit:priority = notice


      • you can arrange the full_audit:prefix  as you want, for more details refer to the following link:

http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

      • for more details regarding the auditable operations in  full_audit:success  refer to the following link:

https://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html


The previous configurations example will lead at the end to the following form:

 



  • 2.     Samba share configuration:

-          You will need to add the following per every CIFS shares that you need to get audit:

vfs objects = full_audit

 


-          Restart Samba:

service  smb restart

 

  • 3.      Configuring rsyslog:

-          You will need to add the log file where samba will be auditing in, by adding the following line in /etc/rsyslog.conf

local5.notice              /var/log/samba-audit.log


-          service  rsyslog restart

And finally check your log file [in our example /var/log/samba-audit.log ]


Notes:

Do not forget that this will generate a big amount of logs, so you would better add the log file in different volume and customize your auditing to the operations that you really care about.