Ubuntu 16.04 LTS – How To Configure SAMBA Full Audit

This guide explains how to configure Samba Full Audit in Ubuntu 16.04 with anonymous & secured samba servers.

Advanced Configuration

In this part I will show you how to configure .

Step 11 – Open config file nano /etc/samba/smb.conf and add the following line:
  vfs objects = full_audit
  full_audit:success = mkdir rmdir read pread write pwrite rename unlink
  full_audit:prefix = %u|%I|%m|%S
  full_audit:failure = none
  full_audit:facility = local5
  full_audit:priority = notice
  recycle:repository = /home/recycle/
  recycle:keeptree = yes
  recycle:versions = yes
  log file = /var/log/samba/samba.log
You can add more attries but I strongly recommended to add only this mkdir rename unlink rmdir write. These are other attributes for full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir lock symlink
After this your file will look like:

[ftp]
  comment = ftp
  path = /srv/samba/ftp
  browseable = yes
  valid users = mslavov, YOURUSER, test, test1
  write list = mslavov, YOURUSER, test, test1
  create mask = 0775
  force create mode = 0775
  public = no
  guest only = no
  directory mask = 0775
  force directory mode = 0775
  store dos attributes = Yes
  hide unreadable = yes
  hide files = /examples.desktop
  vfs objects = full_audit
  full_audit:success = mkdir rmdir read pread write pwrite rename unlink
  full_audit:prefix = %u|%I|%m|%S
  #full_audit:failure = none
  full_audit:failure = connect
  full_audit:facility = local7
  full_audit:priority = notice
  recycle:repository = /home/recycle/
  recycle:keeptree = yes
  recycle:versions = yes
  log file = /var/log/samba/samba.log

Step 12 – Create log file for samba audit. Execute the following command nano /etc/rsyslog.d/50-default.conf and find *.* …..line and make the changes to look like this:

*.*;auth,authpriv.none,local7.none   -/var/log/syslog
local7.notice    /var/log/samba-audit.log

Step 13 – Create file for audit and change permission.

root@mail:/# touch /var/log/samba-audit.log
root@mail:/# chown syslog:adm /var/log/samba-audit.log

Step 14 – Open this file /etc/logrotate.d/samba and add the following lines:

/var/log/samba-audit.log {
    weekly
    missingok
    rotate 7
    postrotate
         reload rsyslog > /dev/null 2>&1 || true
    endscript
    compress
    notifempty
}

Step 13 – Restart rsyslog and samba service.

root@mail:/# reboot

Step 15 – Now you can see audit for test folder for Jun 12

root@mail:/# cat /var/log/samba-audit.log | grep test | grep “Jun 12″
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|rename|ok|New folder|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|fstat|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|getxattr|ok|test|user.DOSATTRIB
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|close|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|stat|ok|./test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|./test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|./test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|get_nt_acl|ok|./test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|getxattr|ok|./test|user.DOSATTRIB
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|stat|ok|./test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|./test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|./test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|get_nt_acl|ok|./test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|getxattr|ok|./test|user.DOSATTRIB
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|stat|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|getxattr|ok|test|user.DOSATTRIB
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|stat|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|get_nt_acl|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|stat|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|get_nt_acl|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|open|ok|r|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|fstat|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|create_file|ok|0x100080|file|open|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|stat|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|get_nt_acl|ok|test
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|getxattr|ok|test|user.DOSATTRIB
Jun 12 16:23:36 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|close|ok|test
Jun 12 16:23:38 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|stat|ok|test
Jun 12 16:23:38 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|getxattr|ok|test|user.DOSATTRIB
Jun 12 16:23:38 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|stat|ok|test
Jun 12 16:23:38 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|test
Jun 12 16:23:38 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|test
Jun 12 16:23:38 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|get_nt_acl|ok|test
Jun 12 16:23:38 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|open|ok|r|test
Jun 12 16:23:38 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|fstat|ok|test
Jun 12 16:23:38 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|close|ok|test
Jun 12 16:23:38 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|stat|ok|test
Jun 12 16:23:38 mail smbd_audit: mslavov|10.10.11.230|ftp|martin-pc|sys_acl_get_file|ok|test

8 ThemeHow to create script for BACKUP and use crontab on Ubuntu (Server) 14.04 LTS Step-by-Step

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website