Samba audit tweaks


(Enrique D) #1

The audit can be tweaked to ignore the read/access and just logs the write/update ?
Note # 1:
I forgot this: The shared folders are “read only” for all the users except for the administrator group (so there is a potential big problem with samba audit + logs + antivirus)

Because our antivirus seems to kill our NS server, it hits each file (scan) and the audit grows on thousands of records in a few days. Worse, there are none of the user files for daily work, yet.

So, I’m tweaking the AV to ignore the shares, but I still see some access on the “SambaStatus - locked files”. Need to check the filters again.

– -- Edit # 2
image


File server Cockpit UI
(Giacomo Sanchietti) #2

You need to create a template custom:

mkdir -p /etc/e-smith/templates-custom/etc/samba/smb.conf/
cp /etc/e-smith/templates/etc/samba/smb.conf/30audit /etc/e-smith/templates-custom/etc/samba/smb.conf/

Then tweak /etc/e-smith/templates-custom/etc/samba/smb.conf/30audit to your needs. Finally: signal-event nethserver-samba-save

Regarding the AV, please consider that is not supported on NS so you need to find a good balance between auditing and antivirus :slight_smile:


(Enrique D) #3

Thanks for the tip (template custom)!

Yes, seems the filter added yesterday is working… need to keep and eye in samba status.


(Enrique D) #4

After some days keeping an eye on this, I see that some users can access the shared folders (the AV).
So I re-check the share folder and change this:

Some users just keep grabbing some folders, so I fight it changing the folder name (non work), moving the folder inside another folder (not work), so, finally I move the files from the folder to a new folder on the shared one, the AV don’t see the files and let it go. Then I delete the empty folders, recreate the needed one and move the files again. The user/AV is tamed for now. Let’s see in the next days.

And yes the shared folder is hidden, but as we know the name of the shared folder we can use it and install our programs… isn’t a problem, we are the ‘demi-gods’ of IT here we need to know that shared folder names.