SMB enabling Auditing-Third-party

ignaciop

Cadet
Joined
Sep 18, 2019
Messages
8
Moved to an external Windows AD DS and using FreeNAS to host all the shares. All the permissions/are correct and operation is great. The issue is I need to add file auditing for viewing users behavior, (adding/deleting/copying/modifying/ ect). Has any one ever had any success being able to get this to work. I have tried several Auditing software solutions but they all don't recognize the share, and any logs. I want to keep my FreeNAS setup but I need to add this. Any help or recommendations on auditing software would be greatly appreciated.

I have enabled VFS object Full_Audit under SMB sharing for each specific share.
 

JayG30

Contributor
Joined
Jun 26, 2013
Messages
158
If trying to use full_audit I believe you will need to define more settings.
See HERE. Specifically note the Options section. For instance;

full_audit:success = LIST
LIST is a list of VFS operations that should be recorded if they succeed. Operations are specified using the names listed above. Operations can be unset by prefixing the names with "!". The default is none operations.

full_audit:failure = LIST
LIST is a list of VFS operations that should be recorded if they failed. Operations are specified using the names listed above. Operations can be unset by prefixing the names with "!". The default is none operations.

The default is NONE. Which I believe would mean nothing gets logged.
See they're example;

Log file and directory open operations on the [records] share using the LOCAL7 facility and ALERT priority, including the username and IP address. Logging excludes the open VFS function on failures:

[records]
path = /data/records
vfs objects = full_audit
full_audit:prefix = %u|%I
full_audit:success = open opendir
full_audit:failure = all !open
full_audit:facility = LOCAL7
full_audit:priority = ALERT

There is also just an audit VFS object. This doesn't need as much configuration and appears to just have some default operations it audits.
See HERE.

I tested these a LONG time ago alongside Elastic as a syslog server. They worked then.
You don't need an "auditing" software. You need to enable one of these, configure it to output events to syslog (or other location). At that point you either leave those logs local to the machine with your desired retention via log rotation. Or you feed them into your centralized log server, whatever that infrastructure might look like for you (Splunk, Elastic, Graylog, Nagios, Solarwinds, etc....or a SIEM like qRadar, LogRhythm, AlienVault, Security Onion, etc).
 
Last edited:

ignaciop

Cadet
Joined
Sep 18, 2019
Messages
8
JayG30 Your a god! Would you happen to remember how you got into the config to edit the VFS object so I can run some tests? I have messed with samba before but not within the confines of FreeNAS. Also command line is not something I use every day. Thanks again.
 

JayG30

Contributor
Joined
Jun 26, 2013
Messages
158
You don't have to edit anything from the CLI.
  1. Sharing > SMB > Edit share in question
  2. Toggle Advanced Mode
  3. add audit or full_audit in VFS Objects
  4. Add additonal settings in "Auxillary Parameters"
    1. For example add these for full_audit from above;
    2. full_audit:prefix = %u|%I
      full_audit:success = open opendir
      full_audit:failure = all !open
      full_audit:facility = LOCAL7
      full_audit:priority = ALERT
    3. Anything you add here goes in the smb.conf file under that shares section (ie. [sharename]). You don't have to add the vfs_objects= line to the auxillary parameters because that's already what the VFS Objects dropdown in FreeNAS does.
  5. Save
  6. You are now logging open and opendir success actions and all failure actions.
I can then see the entries hit the log from the cli by running;
Code:
tail -f /var/db/system/syslog-xxxxxxxxxx/log/messages

You'll need to check where you are storing your syslogs. It's under System > System Dataset. I log mine to the pool.

You'll get entries like this;
Code:
Jul 16 11:58:24 freenas smbd_audit: DOMAIN\USER|192.168.X.X|open|ok|r|/mnt/store/IT/file.txt


I just did all this to test in the past 15min on one of my systems and it worked.

Once you have that you'll want to work on getting it out to a syslog server. Check System > General > Syslog Level and Syslog server. That's where you can define what level of info and where the logs go.
 

Hellrazorx

Dabbler
Joined
Apr 30, 2021
Messages
29
You don't have to edit anything from the CLI.
  1. Sharing > SMB > Edit share in question
  2. Toggle Advanced Mode
  3. add audit or full_audit in VFS Objects
  4. Add additonal settings in "Auxillary Parameters"
    1. For example add these for full_audit from above;
    2. full_audit:prefix = %u|%I
      full_audit:success = open opendir
      full_audit:failure = all !open
      full_audit:facility = LOCAL7
      full_audit:priority = ALERT
    3. Anything you add here goes in the smb.conf file under that shares section (ie. [sharename]). You don't have to add the vfs_objects= line to the auxillary parameters because that's already what the VFS Objects dropdown in FreeNAS does.
  5. Save
  6. You are now logging open and opendir success actions and all failure actions.
I can then see the entries hit the log from the cli by running;
Code:
tail -f /var/db/system/syslog-xxxxxxxxxx/log/messages

You'll need to check where you are storing your syslogs. It's under System > System Dataset. I log mine to the pool.

You'll get entries like this;
Code:
Jul 16 11:58:24 freenas smbd_audit: DOMAIN\USER|192.168.X.X|open|ok|r|/mnt/store/IT/file.txt


I just did all this to test in the past 15min on one of my systems and it worked.

Once you have that you'll want to work on getting it out to a syslog server. Check System > General > Syslog Level and Syslog server. That's where you can define what level of info and where the logs go.

The option:
  • add audit or full_audit in VFS Objects
Does no longer seem to be availlable in TN 12-U5

Is it still needed?

Thanks
 
Top