[Samba] Tracking file activity

[Ryan Steele]

Dale,

Upon hearing Volker Lendecke's suggestion that full_audit was
superseding the other two, I opted to use it.  And, as you mentioned, I
did read the docs and put the log parameters in the global container. 
However, I've not been able to get it to log to _anything_ other than
syslog.  I've settled on the fact that I'll have to pick information out
of syslog, unless someone can point out a working config that can
achieve different results - in which case I'm all ears.  Here's what
I've got:

[global]
   syslog = 0
   syslog only = No
   log level = 0 vfs:2
   log file = /var/log/samba/log.%m.%U   ; No VFS info ever makes it here
   obey pam restrictions = Yes
   encrypt passwords = Yes
   local master = no
   domain master = no
   preferred master = no
   netbios name = Testbox
   workgroup = TESTDOMAIN
   server string = %h server (Testing Audit Support)
   wins support = yes
   dns proxy = yes
   name resolve order = wins lmhosts host bcast
   smb ports = 139
   max log size = 1000000
   panic action = /usr/share/samba/panic-action %d
   security = user
   invalid users = root
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   create mask = 0700
   directory mask = 0700
[Shared Files]
    vfs objects = full_audit
    full_audit:prefix = %u|%I
    full_audit:failure = none
    full_audit:success = open write close
    path = /home/sharedfiles
    directory mask = 0775
    create mask = 0664
    comment = "DMG Files"
    browseable = yes
    writable = yes
    oplocks = No
    level2 oplocks = No


And, while I'm asking questions, why is it that different apps give me
different results in terms of number of calls to open, close, etc?   I
assume there's more than one because the addresses are memory mapped -
does the actual number just depend on how the individual app goes out to
fetch those addresses?

As always, thanks in advance.

Ryan

-- 
Ryan Steele
Systems Administrator
Greater Philadelphia Area

GPG Signature:    http://www.agora-net.com/~steele/signature.asc



Dale Schroeder wrote:
> Ryan,
>
> I don't believe it is possible to set log parameters in the share.  It
> must be done in global.
> Also notice this from the HowTo:
> " This module is identical with the |audit| module above except that
> it sends audit logs to both /*syslog*/ as well as the |smbd| log files."
> http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html#id409434
>
>
> Dale
>
> Ryan Steele wrote:
>> Ryan Steele wrote:
>>> Ray Anderson wrote:
>>>> Been using it for a while now:
>>>>
>>>> smb.conf entry:
>>>> # turn on auditing
>>>> vfs objects = audit
>>>>
>>>> In the Samba howto collection, section 21.3:
>>>>
>>>> 21.3 Included Modules
>>>> 21.3.1 audit
>>>> 21.3.2 extd audit
>>>>
>>>> And just for completeness:
>>>>
>>>> 21.3.1 audit
>>>> A simple module to audit file access to the syslog facility. The
>>>> following operations are
>>>> logged:
>>>> • share
>>>> • connect/disconnect
>>>> • directory opens/create/remove
>>>> • file open/close/rename/unlink/chmod
>>>> 21.3.2 extd audit
>>>> This module is identical with the audit module above except that it
>>>> sends audit logs to
>>>> both syslog as well as the smbd log files. The log level for this
>>>> module is set in the smb.
>>>> conf file.
>>>> Valid settings and the information that will be recorded are shown
>>>> in the next table.
>>>> 21.3.2.1 Configuration of Auditing
>>>> This auditing tool is more felxible than most people readily will
>>>> recognize. There are a
>>>> number of ways by which useful logging information can be recorded.
>>>> • Syslog can be used to record all transaction. This can be
>>>> disabled by setting in the
>>>> smb.conf file syslog = 0.
>>>>
>>>> Section 21.3. Included Modules
>>>> Table 21.1. Extended Auditing Log Information
>>>> Log Level Log Details - File and Directory Operations
>>>> 0 Make Directory, Remove Directory, Unlink
>>>> 1 Open Directory, Rename File, Change Permissions/ACLs
>>>> 2 Open & Close File
>>>> 10 Maximum Debug Level
>>>> • Logging can take place to the default log file (log.smbd) for all
>>>> loaded VFS modules
>>>> just by setting in the smb.conf file log level = 0 vfs:x, where x is
>>>> the log level.
>>>> This will disable general logging while activating all logging of
>>>> VFS module activity
>>>> at the log level specified.
>>>> • Detailed logging can be obtained per user, per client machine,
>>>> etc. This requires the
>>>> above together with the creative use of the log file settings.
>>>> An example of detailed per-user and per-machine logging can be
>>>> obtained by setting
>>>> log level = /var/log/samba/%U.%m.log.
>>>> Auditing information often must be preserved for a long time. So
>>>> that the log files do not
>>>> get rotated it is essential that the max log size = 0 be set in the
>>>> smb.conf file.
>>>>
>>>>
>>>>
>>>> Ryan Steele wrote:
>>>>> Hey List,
>>>>>
>>>>> I was wondering if and how one would go about tracking file
>>>>> activity on a Samba server, for basic auditing purposes. I'd
>>>>> ideally like to see what files where edited, by whom and when.
>>>>> I've done some RTFM and a bit of searching around the 'net, but
>>>>> haven't found anything yet. Even pointers to documentation on the
>>>>> subject would be welcome. Thanks in advance for any tips!
>>>>>
>>>>> Best Regards,
>>>>> Ryan
>>>>>
>>>
>>> Ray,
>>>
>>> I appreciate your advice.  I am experimenting with an implementation
>>> of the extd_audit module now on a test cluster - thanks for pointing
>>> me in the direction of the HOWTO,  I should have looked there before
>>> bumping the list.  Thanks again.
>>>
>>> Ryan
>>>
>>
>> I'm having a bit of trouble with the logging on this, and I'm hoping
>> someone can point out a simple mistake I'm overlooking.  My
>> intentions are to have everything in the shared directory container
>> log to /var/log/samba/log.machine.username, but the all of the VFS
>> info continues to filter into syslog.  I've HUP'ed the daemon and
>> restarted to no avail.  Any thoughts?  Here's my smb.conf - it's
>> pretty vanilla, as it's a testbox for the purposes only of testing
>> the audit module:
>>
>> [global]
>>   obey pam restrictions = Yes
>>   encrypt passwords = Yes
>>   local master = no
>>   domain master = no
>>   preferred master = no
>>   netbios name = Testbox
>>   workgroup = TESTDOMAIN
>>   server string = %h server (TestServer)
>>   wins support = yes
>>   dns proxy = yes
>>   name resolve order = wins lmhosts host bcast
>>   smb ports = 139
>>   log file = /var/log/samba/log.%m
>>   max log size = 1000000
>>   syslog = 0
>>   panic action = /usr/share/samba/panic-action %d
>>   security = user
>>   invalid users = root
>>   passwd program = /usr/bin/passwd %u
>>   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>> *Retype\snew\sUNIX\spassword:* %n\n .
>>   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> SO_KEEPALIVE
>> [homes]
>>   comment = Home Directories
>>   browseable = no
>>   writable = yes
>>   create mask = 0700
>>   directory mask = 0700
>> [Shared Files]
>>    comment = "Shared Files"
>>    log level = vfs:2
>>    path = /home/sharedfiles
>>    browseable = yes
>>    writable = yes
>>    oplocks = No
>>    level 2 oplocks = No
>>    directory mask = 0775
>>    create mask = 0664
>>    log file = /var/log/samba/log.%m.%U
>>    vfs objects = extd_audit
>>
>> Thanks in advance for any advice.
>>
>> Best Regards,
>> Ryan
>>
>