Auditing for Samba

Last update 1/9/2000 10:56 - abakun@thwartedefforts.org - Andy Bakun

Overview

In my environment, we need to provide accountability for certain actions such as during what times people were logged in and who deleted a file and such. My tools of choice include Samba running on UNIX, which currently does not have event auditing more useful than the pages upon pages of debugging output. This is my attempt to bring auditing to Samba.

This patch gives samba the capability to log various kinds of actions that happen from client machines. It uses syslog(3) to record events. The format of the output is customizable to fit your tastes or your site's logging standards.

It does not use the NT Event Viewer. Flat text files are much easier to handle and search, and the NT Event Viewer is extremely limited (you can't even sort by the columns). This patch allows you to specify the format of the entries also, making it even easier to insert the information into your favorite database to provide a better interface than the one I suggest you use (it's called "grep").
I elected to use syslog logging over a regular file because if you are running a larger site with a number of Samba file servers, you can use syslog to collect all the auditing stats in one place, and chances are, if you have a number of UNIX machines, you are already using remote syslog logging. Unfortunately, the syslog facility and levels are hardcoded and difficult to extend (I'm told that UUCP doesn't even use syslog, yet there is a facility value for it), which I was hoping to overcome with the ability to specify the facility and level in the config file.
This will change. I will end up implementing this by writing directly to a text file rather than going through the syslog to increase portablity and make it more straight forward.

Sample Output

This sample uses the default audit format, but this can be changed at run time to exclude certain information or label it in a different way.

Sep 21 18:47:42 jupiter samba[23988]: uranus rollout jwall(514) sysadmin(233) jwall(192.168.1.50) SHAREOPEN  
Sep 21 18:48:01 jupiter samba[23988]: jupiter home jwall(514) jwall(514) jwall(192.168.1.50) FILEDELETE file="jwall/New Text Document.txt" 
Sep 21 18:49:08 jupiter samba[23989]: uranus rollout abakun(500) sysadmin(233) abakun(192.168.1.20) SHAREOPEN  
Sep 21 18:49:52 jupiter samba[23988]: jupiter - - - jwall(192.168.1.50) LOGON interactive logon attempt for kdart 
Sep 21 18:49:52 jupiter samba[23988]: jupiter - - - jwall(192.168.1.50) LOGONFAIL wrong password for kdart 
Sep 21 18:49:55 jupiter samba[23988]: jupiter - - - jwall(192.168.1.50) LOGON interactive logon attempt for kdart 
Sep 21 18:49:55 jupiter samba[23988]: jupiter - - - jwall(192.168.1.50) LOGON successful logon for kdart 
Sep 21 18:49:59 jupiter samba[23988]: jupiter - - - jwall(192.168.1.50) LOGOFF user 100(100) 
Sep 21 18:51:44 jupiter samba[23988]: uranus rollout jwall(514) sysadmin(233) jwall(192.168.1.50) SHARECLOSE  
Sep 21 18:59:18 jupiter samba[23989]: uranus rollout abakun(500) sysadmin(233) abakun(192.168.1.20) SHARECLOSE  
Sep 21 20:38:55 jupiter samba[26535]: jupiter home abakun(500) abakun(500) abakun(192.168.1.20) FILEDELETE file="abakun/NTprofile/Recent/Jungle Maximize.WAV.lnk"

Downloading and Installation

Get the source for samba.
Download the patch.
- Here are the currently supported versions:
  - 2.0.5: samba-audit-2.0.5.diff. (* use -p0 in source/..)
  - 2.0.7: samba-audit-2.0.7.diff. (* use -p0 in source/..) THIS VERSION IS UNTESTED, BUT THE PATCH SHOULD APPLY FINE AND WORK. YMMV.
Be sure you have a version of patch that is compatible with GNU patch. Solaris patch, and I suspect others, has some (interesting) problems with this diff. GNU patch can be downloaded from prep.ai.mit.edu.
Apply the patch from the directory that contains the source/ directory.
cd samba code directory
patch -p0 < path and filename of patch
The -p0 is important. Note that you should not be in the source/ directory when applying the patch, but one level up from source/.
The patch patches Makefile.in, so you'll have to run configure again. Then make clean ; make. You know the drill.
Install new versions. You know the drill here also. :)
Modify your syslog.conf(8) to store the samba auditing messages in a separate file. I'm currently working with:
```
      local0.info                   /var/log/audit.samba
```
on a RedHat 5.1 system. Specifics may vary if you are on a non-Linux system and/or are not using the syslog included with RH5.1. The values you give for the facility and level may also be different if you specify different options at runtime.

New smb.conf options

Global

syslog auditing
Boolean
Default false
If auditing should be done. If auditing if turned off, then no auditing is done. If auditing is turned on and domain logons is true, then logons will be audited implictly.
syslog audit format
String
Default $server $share $user $group $client($clientaddr) $action
This defines how each line that is sent to syslog(3) appears. The following strings are substituted for their related information, or a single dash if the information doesn't apply to the event being audited.

$server
The server name. Only really useful if you have different configurations based on server name or are using netbios aliases
$share
The name of the share being accessed.
$user
The name and id of the user who performed the action, formatted as username(id)
$group
The name and id of the group of the user who performed the action, formatted as groupname(id)
$client
The netbios name of the client machine
$clientaddr
The IP address of the client machine
$action
The action that is being audited.

The format is suffixed with action-specifics, such as file names or logon information.
You may want to use a format like the following:
```
      server=$server share=$share user=$user group=$group client=$client($clientaddr) $action
```
So that you can easily determine the meanings of the values. Note that if $action is left out, there will be no way to determine exactly what was done.
syslog audit format can come in handy if you want to post process the auditing information.

Share
These options can, of course, be specified in the [global] section in order to set them for all shares.

syslog audit facility
enum
Default LOG_LOCAL0
The syslog facility to use when calling syslog(3). Can have one of the following values:
LOG_AUTHPRIV LOG_CRON LOG_DAEMON LOG_KERN LOG_LOCAL0 LOG_LOCAL1 LOG_LOCAL2 LOG_LOCAL3 LOG_LOCAL4 LOG_LOCAL5 LOG_LOCAL6 LOG_LOCAL7 LOG_LPR LOG_MAIL LOG_MAIL LOG_SYSLOG LOG_USER LOG_UUCP
syslog audit level
enum
Default LOG_INFO
The syslog level to use when calling syslog(3). Can have one of the following values:
LOG_EMERG LOG_ALERT LOG_CRIT LOG_ERR LOG_WARNING LOG_NOTICE LOG_INFO LOG_DEBUG
syslog audit actions
enum list
Default none
The list of actions to audit for this share. Should be a space seperated list of zero or more of the following values:
- DOMAINLOGON
- DOMAINLOGOFF (not reliable, and there is a good chance it won't ever be)
- SHAREOPEN
- SHARECLOSE
- FILEOPEN (appears to work)
- FILECLOSE (appears to work)
- FILEDELETE
- FILEMOVE
- FILECOPY (appears to work)
- MKDIR
- RMDIR
- PRINT (not implemented yet)
- SETATTR (not implemented yet)

Sample

[global]
   ...
   syslog auditing = true
   syslog audit format = $action $user $clientaddr \\$server\$share 
   ...

[share1]
   ...
   syslog audit actions = FILEDELETE FILEMOVE FILECOPY
   syslog audit facility = LOG_LOCAL1
   ...

[jobs]
   ...
   syslog audit actions = MKDIR RMDIR FILEDELETE
   ...

This, by the way, would produce a local1.info log entry like the following:

Sep 21 15:53:29 jupiter samba[11825]: FILEMOVE abakun(500) 192.168.1.20 \\jupiter\share1 source="\job367\Copy of manual.ps" dest="\job367\manual.ps.backup"

And local0.info entries:

Sep 21 15:59:30 jupiter samba[11825]: FILEDELETE abakun(500) 192.168.1.20 \\jupiter\jobs file="incoming/draft.ps" 
Sep 21 15:59:32 jupiter samba[11825]: MKDIR abakun(500) 192.168.1.20 \\jupiter\jobs dir="incoming/New Folder"

To do

Add some more substitution possiblities to the format string (what else could be useful?).
Should we audit pipe accesses and API calls in general? The debugging logs should be used for low level auditing.
Add \t => tab (and other C escapes?) substitution to audit format.
Make man page updates and add to patch.
Make logon auditing optional and not implict. partly done
Fix names and uids displayed during logons.
Make auditing of logoff more reliable if possible -- may be an NT issue.
works Verify that recursive rmdir show subdir and file deletion.
Determine if the values of struct_user are actually valid (ie, non-guest) in all the places were I can use it. It seems that at times during logon, the struct_user vuser that is passed around is for the guest user. This should save from having to call uidtoname and gidtoname all the time, which seems, on the surface, to be kind of expensive.
Do some more robust testing of the syslog facility and level settings per share.
Verify that auditing can be turned off completely for a single share, overriding global defaults.
problems with syslog found on other systems, working on fix Add stuff to the configure script and stuff.

Other

Bug reports/requests to abakun@thwartedefforts.org.

Thanks to Jonas Bofjal and Amol Karnik for some preliminary testing.

Announcement messages: