[Samba] monitoring file access levels?

Carl Brewer carl at bl.echidna.id.au
Thu May 15 01:22:49 GMT 2008

Michael Heydon wrote:
> Sorry, missed the list.
> There is already an audit VFS module. I don't think it will do quite
> what you want, but I think it would be a better place to start than the
> standard log files.


I've been trying to get that working with the following in the general 
section of smb.conf :

   log level = 0 vfs:2
   log file = /var/log/samba/%U.%m.log
   vfs objects = audit

# Put a capping on the size of the log files (in Kb).
   max log size = 0

but so far it doesn't seem to be logging what I expected it to (ie: 

> You aren't going to prevent access once they reach some limit are you?
> you are just going to email the boss or something? (I would hate to be
> working on some big project, hit the limit and find myself unable to
> save all my work).

Heh, no .. that's what he wants but not what he's getting, he'll get an 
alert, that's all.  I know this is crazy, but it is his server, so it is 
his call.

> Also, things like Windows' "search for words in a file" tool will
> basically transfer everything to the client machine, so just remind him
> that monitoring traffic alone is a poor indicator of what is going on.
> Would it be possible to disable USB storage devices and CD/DVD burners
> so they can't get the data onto removable media instead?

Not really, he's just gone a bit paranoid of late, the best solution is 
some sort of encryption I think, or just for him to realise that he has 
to trust his staff.

More information about the samba mailing list