A staff member came to me to state that his Yahoo account had been hacked from our company account, or so he claimed. This made me look at the samba logs and realise that user logging was not actually implemented while it is relatively easy to do so.
This is used on Ubuntu 11.04 but the same should more or less work on any other system.
Edit the Samba configuration file and add the following
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%s
full_audit:success = open read pwrite unlink rmdir delete
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = ALERT
I have set failure at none as I am only worried about if people gain access and the logs generated are rather huge.
Then edit the syslog configuration file
Note that the audit log needs to be owned by syslog.adm without which no logging to another file but syslog will take place.
chmod 640 /var/log/samba/audit.log chown syslog.adm /var/log/samba/audit.log
Don’t forget to restart the services for the changes to take effect
service smbd restart
service nmbd restart
service rsyslog restart
The above staff member had accused our IT manager who has full access to the system. In such a case perhaps it may be an idea to make such a file a hidden one by prefixing the file name with a full-stop.