This document provides instructions for configuring Samba with audit trail capabilities on an Ubuntu server. It explains that audit trails record a chronological sequence of activities to provide evidence of specific operations or events. The configuration example shows Samba settings to log file sharing activity to a specific log file using the "full_audit" VFS object. It also provides instructions to edit rsyslog configuration to direct Samba audit logs to a file and restart services for the changes to take effect.

1. SAMBA WITH AUDIT
TRAIL
ADDITIONAL CONFIGURATION FOR SAMBA (UBUNTU SERVER)
Ali Rachman

2. SAMBA
Samba is free software that use SMB/CIFS networking protocol. Samba originally developed by Andrew
Tridgell. In this presentation, I will show you a short configuration for configuring samba with audit trail, so
we can know user activity within our file server.
Audit trail is security-relevant chronological record, set of records, and/or destination and source of record
that provide documentary evidence of the sequence of activities that have affected at any time a specific
operation, procedure, or event. Audit records typically result from activities such as financial transaction,
scientific research and health care data transaction, or communications by individual people, systems,
accounts, or other entities (Wikipedia)
Ali Rachman

3. SAMBA CONFIGURATION FOR AUDIT TRAIL
Example Configuration
[global]
workgroup = Workgroup
server string = Samba Server
Version %v
netbios name = server-sharing
security = share
[SHARE]
path = /data
public = yes
browseable = yes
read only = no
force user = test
force group = test
vfs objects = full_audit
full_audit:prefix = %u|%i|%m|%s
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = LOCAL6
Ali Rachman
full_audit:priority = NOTICE

4. Edit file /etc/rsyslog.d/50-default.conf and following command
# Default rules for rsyslog.
#
#
For more information see rsyslog.conf(5) and /etc/rsyslog.conf
#
# First some standard log files. Log by facility.
#
auth,authpriv.*
/var/log/auth.log
*.*;auth,authpriv.none
-/var/log/syslog
#cron.*
/var/log/cron.log
daemon.*
-/var/log/daemon.log
kern.*
-/var/log/kern.log
lpr.*
-/var/log/lpr.log
mail.*
-/var/log/mail.log
user.*
-/var/log/user.log
local6.*
-/var/log/samba/audit.log
Ali Rachman

5. After that do following command
#service rsyslog restart
#service smbd restart
You can see the log at /var/log/samba
#tail audit.log
THANK
YOU
Ali Rachman