Samba audit is a simple audit module for samba which uses vfs_full_audit module. All operations are logged in a file and a logrotate job parses all entries and store it into a MySQL db. Logs are browseable using web interface.
SambaAudit is based on a Samb Audit project. See: http://sourceforge.net/projects/smbdaudit/ Current implementation uses standard full_audit vfs module instead of mysql_audit.
The package configures Samba standard vfs audit to log write and read actions inside the /var/log/smbaudit.log file.
Every night, a script called by logrotate parses the log file and puts all audit actions inside the smbaudit MySQL database.
The database can be explored using Cockpit or the legacy PHP UI.
The packages adds the following properties to the smb key:
AuditAlias: auto-generate alias to access the legacy UIAuditLogRead: can beenabledordisabled. Ifenabledread actions are stored in the database during the parsing, ifdisabledonly write actions will be written to the database.
Example:
smb=service AuditAlias=43d5xxxxxxxxxxxxxxxxf023e46a11a4b7cb233a AuditLogRead=disabled DeadTime=10080 HomeAdmStatus=disabled InheritOwner=no NetbiosAliasList= ShareAdmStatus=disabled TCPPorts=139,445 UseClientDriver=yes UseCups=enabled WinsServerIP= access=green status=enabled
To enable the audit for a shared folder, use the SmbAuditStatus property to the ibay record.
Example:
test=ibay ... SmbAuditStatus=enabled ...