Setting up Audit Logging: Difference between revisions

From SambaWiki
(New documentation: Setting up Audit Logging (Samba 4.7 and later))
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


Samba 4.7 and later supports logging of authentication and authorization events. This enables administrators to log, for example, successful and failed log ins.
Samba 4.7 and later supports logging of authentication and authorization events, and Samba 4.9 supported logging of AD DC database changes. This enables you to log, for example, failed authentication requests or password resets.


An audit event is logged on the Samba server the event was performed on. For example, in an multi-domain controller (DC) environment, an authentication request is logged only on the DC the request was sent to. To store all logs on a centralized server, set up a centralized syslog server, configure Samba to log to the syslog daemon, and configure the syslog daemon to send the logs to the centralized server. For details, see:
Audit logging is a local setting and you must enable this feature on each Samba server individually. Events are logged on the Samba server the event was performed on. To store all logs on a centralized server, set up a centralized syslog server, configure Samba to log to the syslog daemon, and configure the syslog daemon to send the logs to the centralized server. For details, see:
* the <code>logging</code>, <code>syslog</code>, and <code>syslog only</code> parameter descriptions in the <code>smb.conf(5)</code> man page
* The <code>logging</code>, <code>syslog</code>, and <code>syslog only</code> parameter descriptions in the <code>smb.conf(5)</code> man page
* the documentation of your syslog daemon
* The documentation of your syslog daemon


Additionally, you can use utilities, such as [https://www.fail2ban.org Fail2Ban], to monitor the log files and disable a user account on successive failed log ins. For details about setting these utilities, see their corresponding documentation.


:{{Imbox
| type = note
| text = Samba will emit some logging in the file server and domain member configuration, but support is comprehensive '''only in the AD DC'''.
}}




== The Difference Between Authentication and Authorization ==

;Authentication
: Authentication happens when Samba verifies a user name and password combination.

; Authorization
: Authorization happens when the session starts. For example, when opening a distributed computing environment / remote procedure calls (DCE/RPC) pipe, returning from a session setup on server message block (SMB) protocol, or finishing the simple authentication and security layer (SASL) bind on LDAP.
:{{Imbox
| type = note
| text = Samba supports logging of successful authorization events '''but not''' unsuccessful authorization events. It can log '''both''' successful and unsuccessful authentication events.
}}



== Authentication and Authorization Examples ==

The following examples explain when Samba logs authentication and when authorization events. Note that this is not a complete list.

* The Kerberos key distribution center (KDC) on an Active Directory (AD) domain controller (DC) logs an <u>authentication</u> event when a user logs into the domain.
: In an multi-domain controller (DC) environment, an authentication request is only logged on the DC the request was sent to.
* If you connect to a share on a domain member:
:* The domain member logs an <u>authorization</u> event.
:* The KDC on the Samba DC logs an <u>authentication</u> event when using Kerberos authentication.
::When using Kerberos authentication, the KDC is responsible for authentication. Therefore, Samba on an AD domain member can not log the authentication event.
:* The domain member logs an <u>authentication</u> event when using NT LAN Manager (NTLM) authentication.

{{Imbox
| type = note
| text = When using NTLM, <u>authentication</u> and <u>authorization</u> events are always logged as a pair. However, when using Kerberos, one <u>authentication</u> event is logged on the DC when it issues the Ticket Granting Ticket (TGT), and each time you access a service, an <u>authorization</u> event is logged.
}}


= Logging Formats =
= Logging Formats =

The audit log feature supports the standard and JSON format. You can enable each format individually or both together using the different log debug classes.




== Standard Log Format ==
== Standard Log Format ==
Line 50: Line 89:




= Enabling Audit Logging =
= The Audit Logging Debug Classes =


Depending on the log level, Samba logs different events. However, to limit the amount of log entries, you can only increase the log level for the audit-related debug classes. For details, see [[Configuring_Logging_on_a_Samba_Server#Setting_Individual_Log_Levels_for_Debug_Classes|Setting Individual Log Levels for Debug Classes]].
Depending on the log level, Samba logs different events. However, to limit the amount of log entries, you can only increase the log level for the audit-related debug classes. For details, see [[Configuring_Logging_on_a_Samba_Server#Setting_Individual_Log_Levels_for_Debug_Classes|Setting Individual Log Levels for Debug Classes]].
Line 58: Line 97:
* <code>auth_json_audit</code> JSON format. This feature requires built-in JSON support in Samba. See [[#Verifying_if_JSON_Support_is_Enabled_in_Samba|Verifying if JSON Support is Enabled in Samba]].
* <code>auth_json_audit</code> JSON format. This feature requires built-in JSON support in Samba. See [[#Verifying_if_JSON_Support_is_Enabled_in_Samba|Verifying if JSON Support is Enabled in Samba]].



To set the default log level to <code>1</code> and enabling the highest audit log level (anonymous authentication and authorization success logging):



= Enabling Authentication Audit Logging =

To set the default log level to <code>1</code> and enabling logging of failed and successful authentication requests (<code>3</code>):


* Set in the <code>[global]</code> section in the <code>smb.conf</code> file:
* Set in the <code>[global]</code> section in the <code>smb.conf</code> file:


log level = 1 auth_audit:5 auth_json_audit:5
log level = 1 auth_audit:3 auth_json_audit:3


:* For further details, see the <code>log level</code> parameter description in the <code>smb.conf (5)</code> man page.
:For further details, see the <code>log level</code> parameter description in the [https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#LOGLEVEL <code>smb.conf (5)</code> man page].

:{{Imbox
| type = note
| text = A higher log level includes logging of events from lower levels.
}}


* Restart Samba.
* Restart Samba.


= Enabling AD DC Database Audit Logging =

To set the default log level to <code>1</code> and enabling logging of database changes as JSON:

* Set in the <code>[global]</code> section in the <code>smb.conf</code> file:

log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5 dsdb_group_json_audit:5 dsdb_transaction_json_audit:5

:For further details, see the <code>log level</code> parameter description in the [https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#LOGLEVEL <code>smb.conf (5)</code> man page].

:{{Imbox
| type = note
| text = A higher log level includes logging of events from lower levels.
}}

* Restart Samba.







Revision as of 23:35, 15 April 2021

Introduction

Samba 4.7 and later supports logging of authentication and authorization events, and Samba 4.9 supported logging of AD DC database changes. This enables you to log, for example, failed authentication requests or password resets.

Audit logging is a local setting and you must enable this feature on each Samba server individually. Events are logged on the Samba server the event was performed on. To store all logs on a centralized server, set up a centralized syslog server, configure Samba to log to the syslog daemon, and configure the syslog daemon to send the logs to the centralized server. For details, see:

  • The logging, syslog, and syslog only parameter descriptions in the smb.conf(5) man page
  • The documentation of your syslog daemon

Additionally, you can use utilities, such as Fail2Ban, to monitor the log files and disable a user account on successive failed log ins. For details about setting these utilities, see their corresponding documentation.


The Difference Between Authentication and Authorization

Authentication
Authentication happens when Samba verifies a user name and password combination.
Authorization
Authorization happens when the session starts. For example, when opening a distributed computing environment / remote procedure calls (DCE/RPC) pipe, returning from a session setup on server message block (SMB) protocol, or finishing the simple authentication and security layer (SASL) bind on LDAP.


Authentication and Authorization Examples

The following examples explain when Samba logs authentication and when authorization events. Note that this is not a complete list.

  • The Kerberos key distribution center (KDC) on an Active Directory (AD) domain controller (DC) logs an authentication event when a user logs into the domain.
In an multi-domain controller (DC) environment, an authentication request is only logged on the DC the request was sent to.
  • If you connect to a share on a domain member:
  • The domain member logs an authorization event.
  • The KDC on the Samba DC logs an authentication event when using Kerberos authentication.
When using Kerberos authentication, the KDC is responsible for authentication. Therefore, Samba on an AD domain member can not log the authentication event.
  • The domain member logs an authentication event when using NT LAN Manager (NTLM) authentication.

Logging Formats

The audit log feature supports the standard and JSON format. You can enable each format individually or both together using the different log debug classes.


Standard Log Format

Audit logging using the standard log format is automatically supported in Samba and does not require additional libraries.

The following example displays a log entry of an successful user authentication on a Samba DC using the standard log format:

[2017/07/04 21:07:41.410381,  4, pid=21757] ../auth/auth_log.c:848(log_successful_authz_event_human_readable)
  Successful AuthZ: [SMB2,krb5] user [SAMDOM]\[Administrator] [S-1-5-21-469703510-2364959079-1506205053-500] at [Di, 04 Jul 2017 21:07:41.410364 CEST] Remote host [ipv4:10.99.0.81:58828] local host [ipv4:10.99.0.1:445]


Logging in JSON Format

If the jansson library was installed on the system where you build Samba, JSON support is automatically built into Samba.

The following example displays a log entry of an successful user authentication on a Samba DC using the JSON format:

[2017/07/04 21:07:41.410434,  4, pid=21757] ../auth/auth_log.c:220(log_json)
  JSON Authorization: {"type": "Authorization", "timestamp": "2017-07-04T21:07:41.410408+0200", "Authorization": {"version": {"major": 1, "minor": 0}, "sid": "S-1-5-21-469703510-2364959079-1506205053-500", "serviceDescription": "SMB2", "localAddress": "ipv4:10.99.0.1:445", "remoteAddress": "ipv4:10.99.0.81:58828", "transportProtection": "SMB", "authType": "krb5", "domain": "SAMDOM", "account": "Administrator", "logonServer": "DC1", "accountFlags": "0x00000210"}}


Verifying if JSON Support is Enabled in Samba

To verify if Samba has been build with JSON support, enter:

# smbd -b | grep HAVE_JSON_OBJECT
HAVE_JSON_OBJECT

If no output is displayed, Samba was compiled without JSON support. To build Samba with JSON support, install the jansson header files and rebuild Samba. For details, see:



The Audit Logging Debug Classes

Depending on the log level, Samba logs different events. However, to limit the amount of log entries, you can only increase the log level for the audit-related debug classes. For details, see Setting Individual Log Levels for Debug Classes.

You can use the following debug classes to control the audit log level independently from the default log level:



Enabling Authentication Audit Logging

To set the default log level to 1 and enabling logging of failed and successful authentication requests (3):

  • Set in the [global] section in the smb.conf file:
log level = 1 auth_audit:3 auth_json_audit:3
For further details, see the log level parameter description in the smb.conf (5) man page.
  • Restart Samba.


Enabling AD DC Database Audit Logging

To set the default log level to 1 and enabling logging of database changes as JSON:

  • Set in the [global] section in the smb.conf file:
log level = 1 dsdb_json_audit:5 dsdb_password_json_audit:5 dsdb_group_json_audit:5 dsdb_transaction_json_audit:5
For further details, see the log level parameter description in the smb.conf (5) man page.
  • Restart Samba.