1. Define
the output file
vi /etc/syslog.conf
and add the line:
local5.notice
/var/log/samba/audit.log
Note: Use
tabs for spacing!
2. Make sure
the output file is rotated
logadm -A 6w -S5g -z 0 -c -p 1w -w /var/log/samba/audit.log
Where:
-A 6w means Delete files
older than 6 weeks
-S 5g means delete files
so that all versions are less than 5g
-z 0 means compress all
previous versions
-c mean rotate copying &
truncating the logfile to zero length, rather than renaming
-p 1w means rotate after
1 week
-w means write to settings to logadm.conf
3. Change
the samba settings for the shares.
vi /etc/samba/smb.conf
To the [global]
section add the lines:
full_audit:prefix = %U|%I|%u|%S
full_audit:failure = connect
full_audit:success = connect disconnect
mkdir rmdir read pread write pwrite sendfile rename unlink chmod fchmod chown
fchown ftruncate lock symlink readlink link mknod
full_audit:facility = LOCAL5
full_audit:priority = notice
For each of
the shares you want to audit, add the line:
vfs object = full_audit
Note: If you want to audit all shares, add this line to the global section.
In case you're wondering what file creates and deletes show up in the log as:
create=pwrite
In case you're wondering what file creates and deletes show up in the log as:
create=pwrite
delete=unlink
4. svcadm
restart samba
