FreeNas + SAMBA + full_audit ( log user activity)

[lorenzoASR]

Hi,

i need to log all activity of my users on shared resource, and I decided to use the VFS Object "full_audit". I used it without problems on debian in the past, but i'm having some troubles right now!

I added those lines in the configuration of my shared resource, Shared -> CIFS -> MyResourceName -> Auxiliary Parameters:

Code:

vfs objects = full_audit

full_audit:prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
full_audit:facility = LOCAL5
full_audit:priority = NOTICE

I have modified too my /etc/syslog.conf , that's the interesting part:

Code:

#       Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit                /dev/console
#*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err  /var/log/messages
local5.=info            /mnt/storage1/misc/logs/samba/docs.log
local5.=notice          /mnt/storage1/misc/logs/samba/activity.log
local0.notice;local1.notice;local2.notice;local3.notice /var/log/messages
local4.notice;local6.notice;local7.notice               /var/log/messages

So, i restarted syslogd and my system created the 2 files activity.log and docs.log under /mnt/storage1/misc/logs/samba/ !

After all I have created a Network Units , put the credentials of a couple of authorized user(from a Vista and an XP box), and i was able to browse/modify/create all i want, but when i check my activity.log file i had a bad surprise:

Code:

Nov 25 19:48:32 freenas smbd_audit: OTTAVIANO\tdei1|192.168.1.146|192.168.1.146|IPC_|connect|ok|IPC$
Nov 25 19:48:50 freenas smbd_audit: OTTAVIANO\tdei1|192.168.1.146|192.168.1.146|IPC_|disconnect|ok|IPC$
Nov 25 19:50:20 freenas smbd_audit: OTTAVIANO\tdei1|192.168.1.146|192.168.1.146|IPC_|connect|ok|IPC$
Nov 25 19:50:37 freenas smbd_audit: OTTAVIANO\tdei1|192.168.1.146|192.168.1.146|IPC_|disconnect|ok|IPC$
Nov 25 19:52:49 freenas smbd_audit: OTTAVIANO\segreteria0|192.168.1.103|postazione3|IPC_|connect|ok|IPC$
Nov 25 19:52:49 freenas smbd_audit: OTTAVIANO\segreteria0|192.168.1.103|postazione3|IPC_|realpath|ok|/tmp
Nov 25 19:52:49 freenas smbd_audit: OTTAVIANO\segreteria0|192.168.1.103|postazione3|IPC_|realpath|ok|/var/tmp
Nov 25 19:52:49 freenas smbd_audit: OTTAVIANO\segreteria0|192.168.1.103|postazione3|IPC_|chdir|ok|chdir|/var/tmp

That's the only messages that i have found! But i set filters on all operation...i really don't uderstand what should be give this problem !

Thanks in advance
Lorenzo

 

[lorenzoASR]

Hi to all,

I've done another test, I have disabled the Active Directory, to check if it was the problem with auditing, but I've not solved !

That's my full_audit log after an authentication from Windows XP with a local user added directly on FreeNAS !

Code:

Nov 27 16:57:13 freenas last message repeated 5 times
Nov 27 16:57:13 freenas smbd_audit: lorenzo|192.168.1.131|IPC_|disconnect|ok|IPC$
Nov 27 16:57:13 freenas smbd_audit: lorenzo|192.168.1.131|IPC_|chdir|ok|chdir|/
Nov 27 16:57:35 freenas smbd_audit: lorenzo|192.168.1.131|IPC_|connect|ok|IPC$
Nov 27 16:57:35 freenas smbd_audit: lorenzo|192.168.1.131|IPC_|realpath|ok|/tmp
Nov 27 16:57:35 freenas smbd_audit: lorenzo|192.168.1.131|IPC_|realpath|ok|/var/tmp
Nov 27 16:57:35 freenas smbd_audit: lorenzo|192.168.1.131|IPC_|chdir|ok|chdir|/var/tmp
Nov 27 16:57:49 freenas last message repeated 2 times
Nov 27 16:57:49 freenas smbd_audit: lorenzo|192.168.1.131|IPC_|disconnect|ok|IPC$
Nov 27 16:57:49 freenas smbd_audit: lorenzo|192.168.1.131|IPC_|chdir|ok|chdir|/

The problem is the same...samba seems to don't see the directory that I'm exploring, neither the files that I've created/modified/deleted !!

I hope that some FreeNas developer should help me, beacouse I've searched on the net about "FreeNAS+full_audit" but there isn't nothing about !

Thanks in advance to anyone who will help me!

 

[lorenzoASR]

If nothing can help me, i try to move this thread to Bug Section !

 

[xtrenge]

i'm actually looking for something like this don't know if you found something more detailed because of the date of the post, i'm currently using 9.2.1.3

i'm going to try this and i hope to get some info :D

cheers

 

[TheSmoker]

Any additional info on this? I am trying to see what users are modifying/deleting on the CIFS exported ZFS volumes.

 

[Rocky3598]

Was this ever resolved. Is there any documentation on how to setup file auditing within FreeNAS?

 

[lorenzoASR]

Hello,

Yes, it was. I posted a tutorial on how ti setup freenas with full auditing on this forum. Now i'm not at home so isnt easy to find it from mobile but you could find it easily checking my other posts.

Happy new year

 

[Rocky3598]

I used this and got it working most of the way. Still trying to get the logs to be saved to a mounted directory rather than the root directory. I will keep working on it and come up with some sort of tutorial. Thank you for your fast response.