Samba in Ubuntu 10.04 – file audit log with full_audit

I am going to talk about how to setup auditing on your samba server in order to be able to view logs in case files disappear from shares (etc).
I’m not aware if anyone has written a tutorial for the specific task on a similar setup so I’ll post about what I did.

This is essentially an update to the blog post:  Samba – file audit log with full_audit by Constantin Bosneaga written in October 2009 but Ubuntu 10.04 uses RSYSLOG instead of SYSLOG. If this works in later versions as well I’d appreciate if someone dropped me a line.

Step 1) Configuring Samba

Instructions from here up to Configuring syslog.

“I have samba-3.0.33 on Gentoo machine. File audit will be done using samba module full_audit.

Locate smb.conf, usually in /etc/samba/smb.conf

and add these lines to global section.

# Audit settings
full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod
fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = local5
full_audit:priority = notice
 

If to look careful at full_audit:success, it contains a lot events, this list may be cut a little bit, because on busy server it will generate a lots of junk.

full_audit:prefix = %u|%I|%S adds additional useful information to audit log file

%u – User
%I – User IP address
%S – Server share name

for full list of substitutions see this page:

http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html  in the section VARIABLE SUBSTITUTIONS

To each share where file audit is needed add this line:

vfs objects = full_audit 

like this:

[public]
  comment = Public Stuff
  path = /home/samba/public
  public = yes
  writable = no
  write list = @staff
 vfs object = full_audit 
 

That’s all about samba. So where all this audit logs are going now ? As you can see from these lines:

full_audit:facility = local5 full_audit:priority = notice

they are going to system logger (syslog).”


Step 2) Configuring syslog filter with RSYSLOG

Original tutorial instructions are given on configuring syslog-ng, or syslogd. 
Ubuntu 10.04 makes use of the rsyslog daemon. More information on rsyslog here.

The modifications are exactly the same  (but in a different file).


A) View rsyslog.conf

Opening the /etc/rsyslog.conf file with sudo cat /etc/rsyslog.conf produces the output:


#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

The interpretation of the above is that all files in etc/rsyslog.d/ directory are considered by rsyslog.


B) Configuration Files

Three files existed in /etc/rsyslog.d/ on my setup.

backuppc@backup-pc:/etc/rsyslog.d$ ls -a
.  ..  20-ufw.conf  50-default.conf  postfix.conf


C) Edit 50-default.conf

(or other appropriate conf)

Find the line *.*;auth,authpriv.none        -/var/log/syslog within the 50-default.conf and make the appropriate changes according to the original tutorial. Specifically change it to
*.*;local5,auth,authpriv.none           -/var/log/syslog

A sample of an 50-default.conf:

#  Default rules for rsyslog.
#
#            For more information see rsyslog.conf(5) and /etc/rsyslog.conf
#
# First some standard log files.  Log by facility.
#
auth,authpriv.*            /var/log/auth.log
#*.*;auth,authpriv.none        -/var/log/syslog
*.*;local5,auth,authpriv.none           -/var/log/syslog
local5.notice /var/log/samba/audit.log
#cron.*                /var/log/cron.log
daemon.*            -/var/log/daemon.log
kern.*                -/var/log/kern.log
lpr.*                -/var/log/lpr.log
mail.*                -/var/log/mail.log
user.*                -/var/log/user.log
#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info            -/var/log/mail.info
mail.warn            -/var/log/mail.warn
mail.err            /var/log/mail.err
#
# Logging for INN news system.
#
news.crit            /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice            -/var/log/news/news.notice
#
# Some “catch-all” log files.
#
*.=debug;
    auth,authpriv.none;
    news.none;mail.none    -/var/log/debug
*.=info;*.=notice;*.=warn;
    auth,authpriv.none;
    cron,daemon.none;
    mail,news.none        -/var/log/messages
#
# Emergencies are sent to everybody logged in.
#
*.emerg                *
#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;
#    news.=crit;news.=err;news.=notice;
#    *.=debug;*.=info;
#    *.=notice;*.=warn    /dev/tty8
# The named pipe /dev/xconsole is for the `xconsole’ utility.  To use it,
# you must invoke `xconsole’ with the `-file’ option:
#
#    $ xconsole -file /dev/xconsole […]
#
# NOTE: adjust the list below, or you’ll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;
    news.err;
    *.=debug;*.=info;
    *.=notice;*.=warn    |/dev/xconsole


D) Restart daemons

Restart both the samba and rsyslog damons from the console.
# /etc/init.d/samba restart
#service rsyslog restart


Step 3) Log Rotation

Once again thes same steps with a small twist.

Original tutorial: “The last part, but not less important is to configure log rotation, not to end with FULL /var, or even worse / partition.

This setup is for syslog-ng, in case of syslogd change post rotate script to restart syslog.

Create new file /etc/logrotate.d/samba.audit

/var/log/samba/audit.log {
   weekly
   missingok
   rotate 7
   postrotate
      /etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
   endscript
   compress
   notifempty
}"

As sysLog-ng is not utilized in ubuntu 10.04 so the command is changed to

service rsyslog restart > /dev/null 2>&1 || true


Conclusion

If all steps are done correctly, the audit.log is populated with entries such as:

Mar 16 18:40:15 backup smbd_audit: backuppc|192.168.#.#|#|rmdir|ok|GROUP_FILES/PROJECTS/flash/MicRecorder/MicRecorder 1.2/__MACOSX/MicRecorder/bin

Finally, every sunday the old logs are zipped.

Enjoy!



Menelaos Bakopoulos

Mr. Menelaos Bakopoulos is currently pursuing his PhD both at Center for TeleInFrastruktur (CTiF) at Aalborg University (AAU) in Denmark and Athens Information Technology (AIT) in Athens, Greece. He received a Master in Information Technology and Telecommunications Systems from Athens Information Technology and a B.Sc. in Computer Science & Management Information Systems from the American College of Thessaloniki. Since April 2008 he has been a member of the Multimedia, Knowledge, and Web Technologies Group.

More Posts