We have a central instance of smbd that we allow users to have home directories on, as well as project specific shares. It's a beefy ZFS on Linux instance that we call "tank" in reference to Jeff Bonwick's discussion of the humble ZFS beginnings within Sun. We run a backup strategy between it and a couple other trailing-mirrored instances that we've positioned around the facility. We've been eyeing ceph but are waiting to see how BlueStore pans out in the next major ceph releases.
We have a desire to be able to review everything a user did in terms of interaction with tank. This can be accomplished via something called a "Stackable VFS Module". You can check to see what VFS modules you have on your system by running
/usr/lib/samba/vfs/. We'll be using the
full_audit VFS module, there is also a
audit module that has less control over formatting (e.g. doesn't have prefix functionality) and less granular events to watch.
We want to audit every share with the same style of logging, so we'll put the following in our global directive:
vfs objects = full_audit full_audit:prefix = %u|%I|%M|%S full_audit:success = mkdir rmdir rename unlink pread pwrite full_audit:failure = none
Line by line:
vfs objects: we're activating the use of
full_audit, read about it via
man samba vfs_full_audit
full_auditrecords operations in fixed format consisting of fields separated by
|characters. The format is
smbd_audit: PREFIX|OPERATION|RESULT|FILE. Here is where we set the prefix we would like to see before
OPERATION|RESULT|FILE. We set these to available variables outlined in
man smb.conf, or easier in this docs table:
%u: Current Unix username
%I: the IP address of the client machine
%M: Client's DNS name
%S: Current share's name
full_audit:success: Specifies which actions will actually be logged when it has successfully been completed. We enumerate a small subset of what is documented in
man samba vfs_full_audit, these operations should all be standard Linux calls. You will need to man each one of these to figure out what you're interested in, for example
man unlinkwould be how you chase down logging for when a file is removed.
full_audit:failure: Specifies which actions will be logged when resulting in failure. We're not too keen on anything failure wise so we set it to the keyword
none. This would be a good place to toggle on
allwhen you wanted some information about activity failures (e.g. permissions issues).
You may notice, if you've found other write ups on
full_audit that we're avoiding the
full_audit:priority. This is because on modern Linux there is no syslog, instead there is systemd-journald. You'll see these logs show up in
journalctl, which can be individually accessed via
journalctl -t smbd_audit.
This is bound to get quite... large. We've not come up with a strategy for dealing with this quite yet, but it will likely be some windowing method.