Sunday 1 February 2015

Samba Server with Audit Log Facility


Samba Server with Audit Log Facility (Syslog) in CentOS 6.*



----------------------------------------------------------------------------------------
1) Stop unwamted Services or settings
----------------------------------------------------------------------------------------
# /etc/init.d/NetworkManager stop
# chkconfig NetworkManager off
Note: Make sure you have configured Network i.e. (IP Address/Netmask/Gateway/DNS)

# /etc/init.d/sendmail stop
# chkconfig sendmail off
# vi /etc/sysconfig/selinux
SELINUX=disabled


HOSTNAME=samba.deva.com



----------------------------------------------------------------------------------
2) Bashrc Setting
----------------------------------------------------------------------------------

#vi /etc/bashrc

#----------------------------------------------------------------------------------
#CHANGES START
#----------------------------------------------------------------------------------
alias c='clear'
alias df='df -Th'
export HISTSIZE=10000
export HISTTIMEFORMAT="%h %d %H:%M:%S "
export HISTFILESIZE=10000…


#----------------------------------------------------------------------------------
#CHANGES END
#----------------------------------------------------------------------------------


#. /etc/bashrc





----------------------------------------------------------------------------------------
3) Open Necessary Ports in iptables
----------------------------------------------------------------------------------------
# vi /etc/sysconfig/iptables

### deva Network ###
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 901 -j ACCEPT



Note :192.168.1.0/24 will be your Network

#/etc/init.d/iptables restart
#chkconfig iptables on


----------------------------------------------------------------------------------------
4) Install Require Packages and dependencies and verify
----------------------------------------------------------------------------------------
#yum update kernel

#yum install -y samba samba-commons cups-libs
#yum install samba* -y
#yum install xinetd samba-swat -y

----------------------------------------------------------------------------------------
5)Create Share , Group & User
----------------------------------------------------------------------------------------

[root@samba ~]# mkdir   /opt/data

[root@samba ~]# groupadd tech
[root@samba ~]# chgrp -R tech   /opt/data
[root@samba ~]# chmod -R 777   /opt/data

[root@samba ~]# useradd devendra.joshi
[root@samba ~]# usermod -G tech devendra.joshi
[root@samba ~]# smbpasswd -a devendra.joshi
New SMB password:
Retype new SMB password:
Added user devendra.joshi.







----------------------------------------------------------------------------------------
6)Backup smb.conf , Edit smb.conf & paste following config in smb.conf
----------------------------------------------------------------------------------------

[root@samba ~]# cp /etc/samba/smb.conf /etc/samba/smb.conf-ORG
[root@samba ~]# > /etc/samba/smb.conf





[root@samba ~]# vi /etc/samba/smb.conf



############################# Start of File #############################
[global]
 workgroup = MYGROUP
 passdb backend = smbpasswd:/etc/samba/smbpasswd.db
 log file = /var/log/samba/log.%m
 log level = 3
 idmap config * : backend = tdb

vfs objects = full_audit

# Audit settings
full_audit: prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect opendir mkdir rmdir open read pread write pwrite rename unlink chmodfchmod chown fchown ftruncate
full_audit:facility = local5
full_audit: priority = notice



[Tech Data]
 path = /opt/data
 vfs object = full_audit
 valid users = devendra.joshi
 write list = devendra.joshi
 read only = No
 create mask = 0777
 directory mask = 0777


############################# End of File #############################





----------------------------------------------------------------------------------------
7)Restart smb & nmb restart
----------------------------------------------------------------------------------------

[root@sambaserver ~]# /etc/init.d/smb restart && /etc/init.d/nmb restart

[root@sambaserver ~]# testparm




----------------------------------------------------------------------------------------
8) Configure samba server in GUI mode
----------------------------------------------------------------------------------------

[root@sambaserver ~]# yum install xinetd samba-swat -y



----------------------------------------------------------------------------------------
9) Configure SWAT
----------------------------------------------------------------------------------------

[root@sambaserver ~]# vi /etc/xinetd.d/swat

service swat
{
port = 901
socket_type = stream
wait = no
only_from = 127.0.0.1 192.168.1.0/24
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = no
}




----------------------------------------------------------------------------------------
10) Restart samba and xinetd services
----------------------------------------------------------------------------------------

[root@sambaserver ~]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@sambaserver ~]# /etc/init.d/smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[root@sambaserver ~]# /etc/init.d/nmb restart
Shutting down NMB services: [ OK ]
Starting NMB services: [ OK ]


Open the web browser from any client syatems. In the address bar type “http://server-ip-address:901″ and press enter.
Now the console screen will open. You can start configure samba server here.





----------------------------------------------------------------------------------------
11) Install rsyslog
----------------------------------------------------------------------------------------

yum install rsyslog rsyslog-mysql

# service rsyslog start
# chkconfig rsyslog on



----------------------------------------------------------------------------------------
12) Edit rsyslog conf file & add following paramitters
----------------------------------------------------------------------------------------
[root@samba ~]# vi /etc/rsyslog.d/00-samba-audit.conf

local5.notice /var/log/samba/audit.log
&~


[root@samba ~]# vi /etc/rsyslog.d/50-default.conf

*.*;local5,auth,authpriv.none -/var/log/syslog

local5.notice /var/log/samba/audit.log



----------------------------------------------------------------------------------------
13) Log Rotation
----------------------------------------------------------------------------------------
[root@samba ~]# vi  /etc/logrotate.d/samba

/var/log/samba/audit.log {
   weekly
   missingok
   rotate 7
   postrotate
      /etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
   endscript
   compress
   notifempty
}"


----------------------------------------------------------------------------------------
14 Restart Following Services
----------------------------------------------------------------------------------------
[root@sambaserver ~]# /etc/init.d/smb restart
[root@sambaserver ~]# /etc/init.d/nmb restart
[root@sambaserver ~]# /etc/init.d/rsyslog restart


[root@samba ~]# tail -f /var/log/samba/audit.log


----------------------------------------------------------------------------------------
    End of Document
----------------------------------------------------------------------------------------

1 comment:

  1. Great article! You have a typo in your audit settings: chmodfchmod should be chmod fchmod. Thanks!

    ReplyDelete