Samba Full Audit Trail
19 Jul

Samba Full Audit Trail

This is a new one. I was asked today by someone to explain why files were missing from the Samba file server. Sadly in the end I wasn’t able to find out why simple because there was no log. This at least isn’t a case of a system admin not keeping logs, there were thousands of them for Samba (I managed to trace that to a poorly configured log rotation setup) but not one of those logs could help me – seriously why is it Samba keep so many logs expect the one your interested in!

Unfortunately I wasn’t able to answer the question about where the missing files went, but this isn’t the first time I’ve been asked this question so, next time – and, as any good system admin knows, there is always a next – I want to be able to know what happened.

In this post I will talk you through configuring Samba 3.6.3 to keep a full user audit trail, recording all changes made to the file system – including deletions.

In my own research I was quite impressed that Samba can actually do this already, its just not on by default. The trick is to use a Stackable VFS Module called full_audit. The system I was setting this all up on was a Ubuntu 12.04.5 LTS (precise) and already had full_audit installed so I didn’t need to worry to much about that. To check if its installed on your system you can look for the file /usr/lib/samba/vfs/ if its there eveything is installed and working – if it’s not, let me know in the comments bellow because I haven’t found a system which was missing it yet.

Setting up the share

I’m only interested in creating an audit trail for one of the server shares so these setting can be put assigned to the one share configuration. So when all is done the final configuration in /etc/samba/smb.conf will look like this – don’t worry to much about it, it works and I’ll go through it line by line.

When you copy this into your smb.conf file make sure not to copy the current share configuration part too

The normal configuration section you should know already, so let look at the new parts:

vfs objects – Tell Samba to load the new module

full_audit:prefix – This defines how your new log will look and fully supports using Samba variables. The format I’ve chosen is:
%U = Samba username
%I = Client IP Address
%m = Client Hostname
%S = Current Share name – not technically needed since I’m doing this for a single share but probably worth keeping encase the configuration is expanded later
For now ignore nasaudit at the start, but I’ll come on to it again later.

full_audit:success – What actions will user actions to log:
mkdir = Upload/Create new directory
pwrite = Upload/Create new file
rename = Rename a file
rmdir = Delete a directory
unlink = Delete a file

full_audit:failure – The same as full_audit:success but when the action failed

full_audit:facility – Which syslog facility to log to. We can use this later to direct messages out of syslog and into a more useful file

full_audit:priority – The priority to set log messages as.

So there you have it. Next time you restart Samba it will log a whole lot more about what a user is actually doing on your file system, but currently logs are going in /var/log/syslog so in the next step we’ll have to get them out of there into a file of their own.

Redirect the logged output

I use the rsyslog daemon rather then syslog, but the process bellow should work for ether one.

We told Samba to output logs to facility ‘local5’ so we can tell rsyslog to look for that, but rather than just take everything that gets sent to local5 we can use a filter and on messages that contain nasaudit – see told you it I’d come back to it.

Now we know what we’re planning to do lets put it all together. Just add the following line, ether to your /etc/rsyslog.conf file or better still create a new file in the /etc/rsyslog.d/ directory.

Rotating logs

The final thing we need to do is add this new logfile into the /etc/logrotate.d/samba configuration file. This way we get a nice clean audit folder, since these audit logs could be quite long on a busy server trying to search though a single file would grow old – fast

Open up your /etc/logrotate.d/samba in your favourite editor and copy in the block bellow:

This will rotate the logs every day and keeps 90 of them. Deciding how much to keep and how far back you will need to go is going to be a personal thing. In my case I’ve gone with three months to start with so and it’s simple enough to tail that back.