[Samba] Tracking file activity

[Ryan Steele]

Ryan Steele wrote:
> Ray Anderson wrote:
>> Been using it for a while now:
>>
>> smb.conf entry:
>> # turn on auditing
>> vfs objects = audit
>>
>> In the Samba howto collection, section 21.3:
>>
>> 21.3 Included Modules
>> 21.3.1 audit
>> 21.3.2 extd audit
>>
>> And just for completeness:
>>
>> 21.3.1 audit
>> A simple module to audit file access to the syslog facility. The 
>> following operations are
>> logged:
>> • share
>> • connect/disconnect
>> • directory opens/create/remove
>> • file open/close/rename/unlink/chmod
>> 21.3.2 extd audit
>> This module is identical with the audit module above except that it 
>> sends audit logs to
>> both syslog as well as the smbd log files. The log level for this 
>> module is set in the smb.
>> conf file.
>> Valid settings and the information that will be recorded are shown in 
>> the next table.
>> 21.3.2.1 Configuration of Auditing
>> This auditing tool is more felxible than most people readily will 
>> recognize. There are a
>> number of ways by which useful logging information can be recorded.
>> • Syslog can be used to record all transaction. This can be disabled 
>> by setting in the
>> smb.conf file syslog = 0.
>>
>> Section 21.3. Included Modules
>> Table 21.1. Extended Auditing Log Information
>> Log Level Log Details - File and Directory Operations
>> 0 Make Directory, Remove Directory, Unlink
>> 1 Open Directory, Rename File, Change Permissions/ACLs
>> 2 Open & Close File
>> 10 Maximum Debug Level
>> • Logging can take place to the default log file (log.smbd) for all 
>> loaded VFS modules
>> just by setting in the smb.conf file log level = 0 vfs:x, where x is 
>> the log level.
>> This will disable general logging while activating all logging of VFS 
>> module activity
>> at the log level specified.
>> • Detailed logging can be obtained per user, per client machine, etc. 
>> This requires the
>> above together with the creative use of the log file settings.
>> An example of detailed per-user and per-machine logging can be 
>> obtained by setting
>> log level = /var/log/samba/%U.%m.log.
>> Auditing information often must be preserved for a long time. So that 
>> the log files do not
>> get rotated it is essential that the max log size = 0 be set in the 
>> smb.conf file.
>>
>>
>>
>> Ryan Steele wrote:
>>> Hey List,
>>>
>>> I was wondering if and how one would go about tracking file activity 
>>> on a Samba server, for basic auditing purposes. I'd ideally like to 
>>> see what files where edited, by whom and when. I've done some RTFM 
>>> and a bit of searching around the 'net, but haven't found anything 
>>> yet. Even pointers to documentation on the subject would be welcome. 
>>> Thanks in advance for any tips!
>>>
>>> Best Regards,
>>> Ryan
>>>
>
> Ray,
>
> I appreciate your advice.  I am experimenting with an implementation 
> of the extd_audit module now on a test cluster - thanks for pointing 
> me in the direction of the HOWTO,  I should have looked there before 
> bumping the list.  Thanks again.
>
> Ryan
>

I'm having a bit of trouble with the logging on this, and I'm hoping 
someone can point out a simple mistake I'm overlooking.  My intentions 
are to have everything in the shared directory container log to 
/var/log/samba/log.machine.username, but the all of the VFS info 
continues to filter into syslog.  I've HUP'ed the daemon and restarted 
to no avail.  Any thoughts?  Here's my smb.conf - it's pretty vanilla, 
as it's a testbox for the purposes only of testing the audit module:

[global]
   obey pam restrictions = Yes
   encrypt passwords = Yes
   local master = no
   domain master = no
   preferred master = no
   netbios name = Testbox
   workgroup = TESTDOMAIN
   server string = %h server (TestServer)
   wins support = yes
   dns proxy = yes
   name resolve order = wins lmhosts host bcast
   smb ports = 139
   log file = /var/log/samba/log.%m
   max log size = 1000000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = user
   invalid users = root
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   create mask = 0700
   directory mask = 0700
[Shared Files]
    comment = "Shared Files"
    log level = vfs:2
    path = /home/sharedfiles
    browseable = yes
    writable = yes
    oplocks = No
    level 2 oplocks = No
    directory mask = 0775
    create mask = 0664
    log file = /var/log/samba/log.%m.%U
    vfs objects = extd_audit

Thanks in advance for any advice.

Best Regards,
Ryan

-- 
Ryan Steele
Systems Administrator 
Greater Philadelphia Area

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)

mQELBEaFKjABCADLYm6aPkaSU0QWXu5hqocuyIwl1d1NUuoVJ97tBUqkR3IOJMZC
mLhMF3x1XE5zykajE6mIAKR8uVgubrHRBbTZtM+vH4u2ZboY+NBEzABZqj+NQtnW
dVEeFPKsWA991iUV9hyj2H51fVQa1wa7xM7Im75iSnSZJ+oxFWzPQrv0znFBs5H0
xVlX4i1zSICqM4WRjBsZTGG5PcaG9i1TS/txBM8YWp0eZAHnpuY3BXzW6EPuKe7w
7vfXOWo/FOd0PaMY/yMWgL5YfvhdZ7FwWjDbhYp/ypnVk9DOLLFm0sH8S20BelUR
+zd86ksGzipjSOC21D/q9PFn6DtV5JFH7qEBAAYptCJSeWFuIFN0ZWVsZSA8c3Rl
ZWxlQGFnb3JhLW5ldC5jb20+iQE0BBMBAgAeBQJGhSowAhsDBgsJCAcDAgMVAgMD
FgIBAh4BAheAAAoJEI4H9qM054NXJYYH/jw938/CKdbebceG3CTXGUoyqrALVE0A
hvh1Pj9E+77yII0F7FGgEXnHmu7Af0dLBmDPzJYWTkFW0r7CXaQJst5zb0d47Zeq
XSwyQHd2OuJxqhBDO88Bqsj4wT0ups0m9POjm0ppqBJi0USE54qGkbPsV+lhVa2r
4+lKcKT5DrT3SANjZ71vjSH9cPR85cn27uU14VuC1p774eA1KaB55ajfGBZkJQM7
I6BWVU9wzG2sSz1GDQtww1b0KUeoltVhto+6mABfwYcxBOkiHH9BQ9dqjB+kqJZ1
TtXFhWprKaivN4BMCs3cVJzuRDJv1bT6d8pvYi1ybM18iJ77M2nn818=
=6P8/
-----END PGP PUBLIC KEY BLOCK-----