June 2011 Archives

Samba auditing

Today I tried doing something I'd put off for ages because I thought it was going to be really tricky: enabling auditing on a Samba share so there is a log of who is creating, deleting, and editing each file (to track down mysteriously disappearing files).

One quick search and I found this: "Samba: Logging User Activity".

It turns out to be a case of adding this to the share definition in smb.conf:

vfs objects = full_audit
full_audit:priority = INFO
full_audit:facility = LOCAL1
full_audit:failure = none
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:prefix = %u|%U|%I|%m|%S

And that's all. Works fine in RHEL5's Samba (3.0.33). Change the syslog settings to whatever makes sense and update /etc/syslog.conf accordingly, and you have an audit trail.