Sunday, 1 February 2015

Samba Server with Audit Log Facility


Samba Server with Audit Log Facility (Syslog) in CentOS 6.*

----------------------------------------------------------------------------------------
1) Stop unwamted Services or settings
----------------------------------------------------------------------------------------
# /etc/init.d/NetworkManager stop
# chkconfig NetworkManager off
Note: Make sure you have configured Network i.e. (IP Address/Netmask/Gateway/DNS)

 # /etc/init.d/sendmail stop
# chkconfig sendmail off
# vi /etc/sysconfig/selinux
SELINUX=disabled
HOSTNAME=samba.deva.com

----------------------------------------------------------------------------------
2) Bashrc Setting
----------------------------------------------------------------------------------

 #vi /etc/bashrc

 #----------------------------------------------------------------------------------
#CHANGES START
#----------------------------------------------------------------------------------
alias c='clear'
alias df='df -Th'
export HISTSIZE=10000
export HISTTIMEFORMAT="%h %d %H:%M:%S "
export HISTFILESIZE=10000…
#----------------------------------------------------------------------------------
#CHANGES END
#----------------------------------------------------------------------------------
#. /etc/bashrc



----------------------------------------------------------------------------------------
3) Open Necessary Ports in iptables
----------------------------------------------------------------------------------------
# vi /etc/sysconfig/iptables

 ### deva Network ###
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 901 -j ACCEPT

Note :192.168.1.0/24 will be your Network

 #/etc/init.d/iptables restart
#chkconfig iptables on
----------------------------------------------------------------------------------------
4) Install Require Packages and dependencies and verify
----------------------------------------------------------------------------------------
#yum update kernel

 #yum install -y samba samba-commons cups-libs
#yum install samba* -y
#yum install xinetd samba-swat -y

 ----------------------------------------------------------------------------------------
5)Create Share , Group & User
----------------------------------------------------------------------------------------

 [root@samba ~]# mkdir   /opt/data

 [root@samba ~]# groupadd tech
[root@samba ~]# chgrp -R tech   /opt/data
[root@samba ~]# chmod -R 777   /opt/data

 [root@samba ~]# useradd devendra.joshi
[root@samba ~]# usermod -G tech devendra.joshi
[root@samba ~]# smbpasswd -a devendra.joshi
New SMB password:
Retype new SMB password:
Added user devendra.joshi.





----------------------------------------------------------------------------------------
6)Backup smb.conf , Edit smb.conf & paste following config in smb.conf
----------------------------------------------------------------------------------------

 [root@samba ~]# cp /etc/samba/smb.conf /etc/samba/smb.conf-ORG
[root@samba ~]# > /etc/samba/smb.conf



[root@samba ~]# vi /etc/samba/smb.conf

############################# Start of File #############################
[global]
 workgroup = MYGROUP
 passdb backend = smbpasswd:/etc/samba/smbpasswd.db
 log file = /var/log/samba/log.%m
 log level = 3
 idmap config * : backend = tdb

 vfs objects = full_audit

 # Audit settings
full_audit: prefix = %u|%I|%S
full_audit:failure = connect
full_audit:success = connect opendir mkdir rmdir open read pread write pwrite rename unlink chmodfchmod chown fchown ftruncate
full_audit:facility = local5
full_audit: priority = notice

[Tech Data]
 path = /opt/data
 vfs object = full_audit
 valid users = devendra.joshi
 write list = devendra.joshi
 read only = No
 create mask = 0777
 directory mask = 0777
############################# End of File #############################



----------------------------------------------------------------------------------------
7)Restart smb & nmb restart
----------------------------------------------------------------------------------------

 [root@sambaserver ~]# /etc/init.d/smb restart && /etc/init.d/nmb restart

 [root@sambaserver ~]# testparm


----------------------------------------------------------------------------------------
8) Configure samba server in GUI mode
----------------------------------------------------------------------------------------

 [root@sambaserver ~]# yum install xinetd samba-swat -y

----------------------------------------------------------------------------------------
9) Configure SWAT
----------------------------------------------------------------------------------------

 [root@sambaserver ~]# vi /etc/xinetd.d/swat

 service swat
{
port = 901
socket_type = stream
wait = no
only_from = 127.0.0.1 192.168.1.0/24
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = no
}


----------------------------------------------------------------------------------------
10) Restart samba and xinetd services
----------------------------------------------------------------------------------------

 [root@sambaserver ~]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@sambaserver ~]# /etc/init.d/smb restart
Shutting down SMB services: [ OK ]
Starting SMB services: [ OK ]
[root@sambaserver ~]# /etc/init.d/nmb restart
Shutting down NMB services: [ OK ]
Starting NMB services: [ OK ]
Open the web browser from any client syatems. In the address bar type “http://server-ip-address:901″ and press enter.
Now the console screen will open. You can start configure samba server here.



----------------------------------------------------------------------------------------
11) Install rsyslog
----------------------------------------------------------------------------------------

 yum install rsyslog rsyslog-mysql

 # service rsyslog start
# chkconfig rsyslog on

----------------------------------------------------------------------------------------
12) Edit rsyslog conf file & add following paramitters
----------------------------------------------------------------------------------------
[root@samba ~]# vi /etc/rsyslog.d/00-samba-audit.conf

 local5.notice /var/log/samba/audit.log
&~
[root@samba ~]# vi /etc/rsyslog.d/50-default.conf

 *.*;local5,auth,authpriv.none -/var/log/syslog

 local5.notice /var/log/samba/audit.log

----------------------------------------------------------------------------------------
13) Log Rotation
----------------------------------------------------------------------------------------
[root@samba ~]# vi  /etc/logrotate.d/samba

 /var/log/samba/audit.log {
   weekly
   missingok
   rotate 7
   postrotate
      /etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
   endscript
   compress
   notifempty
}"
----------------------------------------------------------------------------------------
14 Restart Following Services
----------------------------------------------------------------------------------------
[root@sambaserver ~]# /etc/init.d/smb restart
[root@sambaserver ~]# /etc/init.d/nmb restart
[root@sambaserver ~]# /etc/init.d/rsyslog restart
[root@samba ~]# tail -f /var/log/samba/audit.log
----------------------------------------------------------------------------------------
    End of Document
----------------------------------------------------------------------------------------
Posted by at

1 comment:

  1. Unknown17 October 2018 at 07:11

    Great article! You have a typo in your audit settings: chmodfchmod should be chmod fchmod. Thanks!

    ReplyDelete

Subscribe to: Post Comments (Atom)