Search This Blog

2014-06-06

Auditing Samba Activity in FreeBSD

If you're offering a samba service on a network and aren't sure what it's being used for you. The best thing to do is audit existing connectivity to the share.

This can be done using the full_audit library included with the samba utility. It allows you to log specific samba operations as well as which user and where they're logging in from.

Create vfs object Configuration In smb.conf


Add a vfs object full_audit to each samba share
The format of the full_audit vfs object is as follows:
vfs objects = full_audit

    full_audit:prefix = %u|%I|%m|%S
    full_audit:success = connect mkdir open opendir read rmdir write
    full_audit:failure = connect
    full_audit:facility = local7
    full_audit:priority = NOTICE

Where:
vfs objects: tells you would like to use full auditing rather than just normal samba audit
full_audit:prefix: logs samba variables %u - user, %I - ip address, %m - machine name %S - share name
full_audit:success: logs success of various samba activities
full_audit:failure: logs failures when specific samba activities fail
full_audit:facility: log to syslog local7 facility (by default will log to /var/log/messages)
full_audit:priority: what priority to log these audit messages as

Each full_audit block should exist under a specific share, and each can have different options.

Add syslog facilities to log to a separate file


Touch a new file to log activity from samba
touch /var/log/samba-audit.log

Modify existing syslog config so we don't log type 7 messages to /var/log/messages
*.notice;local7,authpriv.none;kern.debug;lpr.info;mail.crit;news.err    /var/log/messages

In /etc/syslog.conf add the following lines to log notice alerts to /var/log/samba-audit.log
local7.notice                                   /var/log/samba-audit.log

Add an entry in newsyslog.conf to rotate the logs:
/var/log/samba-audit.log                644  100   1000 *     JC
Where:
644: is the permissions of the file
100: is the amount of logs to keep
1000: is the max file size (1MB)
*: is rotation period (blank if going by size alone)
JC: C is compression J is create new file if doesn't already exist

Restart Samba


/usr/local/etc/rc.d/samba restart

A reload wont do it you'll have to restart the entire daemon. You also might have to restart syslogd

References:
http://moiristo.wordpress.com/2009/08/10/samba-logging-user-activity/
https://forums.freebsd.org/viewtopic.php?&t=33868
http://www.samba.org/samba/docs/man/manpages-3/vfs_full_audit.8.html
http://maythesource.com/2012/03/16/samba-in-ubuntu-10-04-file-audit-log-with-full_audit/
http://a32.me/2009/10/samba-audit-trail/

No comments:

Post a Comment