SAMBA FULL_AUDIT IN UBUNTU 12.04

Thank to http://vmassuchetto.github.io/2013/12/10/samba-full_audit-in-ubuntu-1204/

To use the full_audit module in Samba on Ubuntu 12.04 I did the following.

Add the vfs objects section in /etc/samba/smb.conf

[global]

    ... other stuff ...

    # Full audit
    vfs object = full_audit
    full_audit:prefix = %u|%I|%m|%S
    full_audit:success = mkdir rmdir read pread write pwrite rename unlink
    full_audit:failure = connect
    full_audit:facility = local7
    full_audit:priority = notice

Take a look at the full audit manpage list to verify what are the valid options in success and failure parameter.

Edit the file /etc/rsyslog.d/50-default.conf to don’t send the audit log to /var/log/syslog:

# Change this line
*.*;auth,authpriv.none             -/var/log/syslog

# To
*.*;auth,authpriv.none,local7.none -/var/log/syslog

Then add the local7 log faciliy and put messages in /var/log/samba-audit.log:

# Add this line
local7.notice                       /var/log/samba-audit.log

To totate the logs weekly add this section to /etc/logrotate.d/samba:

/var/log/samba-audit.log {
    weekly
    missingok
    rotate 7
    postrotate
        reload rsyslog > /dev/null 2>&1 || true
    endscript
    compress
    notifempty
}

Restart everything:

service rsyslog restart
service smbd restart

Problems

SELinux won’t let rsyslogd processes write to any files outside/var/log. I was trying to use the /var/log/samba/audit.log file, and it wasn’t working because of that.

Also, it is important to just let rsyslogd create the files you want to use as their permissions must be the following:

-rw-r----- 1 syslog adm 928536 Dez 10 17:19 /var/log/samba-audit.log

If user and group aren’t syslog and adm (or the ones configured in/etc/rsyslogd.conf), things won’t work either.

Result

Log goes beautiful like this, but it grows really quick.

Dec 10 17:18:42 bispo smbd[10515]: someuser|192.168.0.21|someuser|Share name|pread|ok|file_name.xlsx
Dec 10 17:19:19  smbd[10515]: last message repeated 3 times
Dec 10 17:19:19 bispo smbd[10516]: nobody|192.168.0.170|oni