Audit SMB activity with VFS Modules

We have a central instance of smbd that we allow users to have home directories on, as well as project specific shares. It’s a beefy ZFS on Linux instance that we call “tank” in reference to Jeff Bonwick’s discussion of the humble ZFS beginnings within Sun. We run a backup strategy between it and a couple other trailing-mirrored instances that we’ve positioned around the facility. We’ve been eyeing ceph but are waiting to see how BlueStore pans out in the next major ceph releases.

We have a desire to be able to review everything a user did in terms of interaction with tank_. This can be accomplished via something called a “Stackable VFS Module”_. You can check to see what VFS modules you have on your system by running ls on /usr/lib/samba/vfs/. We’ll be using the full_audit VFS module, there is also a audit module that has less control over formatting (e.g. doesn’t have prefix functionality) and less granular events to watch.

We want to audit every share with the same style of logging, so we’ll put the following in our global directive:

    vfs objects = full_audit
    full_audit:prefix = %u|%I|%M|%S
    full_audit:success = mkdir rmdir rename unlink pread pwrite
    full_audit:failure = none

Line by line:

  • vfs objects : we’re activating the use of full_audit, read about it via man samba vfs_full_audit
  • full_audit:prefix : full_audit records operations in fixed format consisting of fields separated by | characters. The format is smbd_audit: PREFIX|OPERATION|RESULT|FILE. Here is where we set the prefix we would like to see before OPERATION|RESULT|FILE. We set these to available variables outlined in man smb.conf, or easier in this docs table:
    • %u : Current Unix username
    • %I : the IP address of the client machine
    • %M : Client’s DNS name
    • %S : Current share’s name
  • full_audit:success : Specifies which actions will actually be logged when it has successfully been completed. We enumerate a small subset of what is documented in man samba vfs_full_audit, these operations should all be standard Linux calls. You will need to man each one of these to figure out what you’re interested in, for example man unlink would be how you chase down logging for when a file is removed.
  • full_audit:failure : Specifies which actions will be logged when resulting in failure. We’re not too keen on anything failure wise so we set it to the keyword none. This would be a good place to toggle on all when you wanted some information about activity failures (e.g. permissions issues).

You may notice, if you’ve found other write ups on full_audit that we’re avoiding the full_audit:facility and full_audit:priority. This is because on modern Linux there is no syslog, instead there is systemd-journald. You’ll see these logs show up in journalctl, which can be individually accessed via journalctl -t smbd_audit.

This is bound to get quite… large. We’ve not come up with a strategy for dealing with this quite yet, but it will likely be some windowing method.