How to audit operations in samba share?
Environment
- Red Hat Enterprise Linux 8
Issue
- How to audit user operations such as moving files, renaming files, and deleting files in samba share?
Resolution
- vfs_full_audit can be used to record Samba VFS operations.
- The following example is used to audit user moves, deletions, and renames in samba share:
- Editing the /etc/samba/smb.conf file:
[mytest]
comment = test
path = /test
public = no
broseable = yes
writable = yes
vfs object = full_audit
full_audit:prefix = %u|%I|%S
full_audit:success = renameat unlinkat
full_audit:failure = renameat unlinkat
full_audit:facility = local5
full_audit:priority = notice
- Note if there are other vfs objects defined, set them on the same line.
- Add the following rule in rsyslog.conf to save the messages to a specific file:
#### RULES ####
...
local5.* /var/log/samba/audit.log
- Restart
smbandrsyslogservices.
- When a user with permission deletes, renames, or moves a file or directory, the record in the log looks as follows:
Feb 1 20:59:12 z1 smbd_audit[35482]: AD\administrator|192.168.56.3|mytest|renameat|ok|/test/2/file.txt|/test/1/file.txt
Feb 1 20:59:22 z1 smbd_audit[35482]: AD\administrator|192.168.56.3|mytest|renameat|ok|/test/1/file.txt|/test/1/test.txt
Feb 1 20:59:27 z1 smbd_audit[35482]: AD\administrator|192.168.56.3|mytest|unlinkat|ok|/test/1/test.txt
Feb 1 21:01:45 z1 smbd_audit[35482]: AD\administrator|192.168.56.3|mytest|renameat|ok|/test/2|/test/3
- To set the log size, save time and rotation, the following solution can be referred to:
How to use logrotate utility to rotate log files
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments