samba - Dec 2022 - samba file access rate limiting

Hello,

I have one share with sensitive data and there is many employees with 
access to that share. I need to ban users trying to copy files from 
share to other place but users normally editing files left without any 
restriction.

I want to set proper logging and set fail2ban to ban user accessing too 
many files in some time limit.

I have not find solution how to set samba to log every file access. The 
current configuration snippet is below.

vfs objects = full_audit
full_audit:prefix = %u|%I
full_audit:success = create_file

Problem is that it logs directory access too and sometimes it generates 
many duplicite lines and it will be hard to define correct regex for 
fail2ban.

Do you have any advice how to properly set file reading logging?

Thank you
Petr

On Tue, Dec 06, 2022 at 01:44:09PM +0100, Petr via samba
wrote:
>Hello,
>
>I have one share with sensitive data and there is many employees with 
>access to that share. I need to ban users trying to copy files from 
>share to other place but users normally editing files left without any 
>restriction.
>
>I want to set proper logging and set fail2ban to ban user accessing 
>too many files in some time limit.
>
>I have not find solution how to set samba to log every file access. 
>The current configuration snippet is below.
>
>vfs objects = full_audit
>full_audit:prefix = %u|%I
>full_audit:success = create_file
>
>Problem is that it logs directory access too and sometimes it 
>generates many duplicite lines and it will be hard to define correct 
>regex for fail2ban.
>
>Do you have any advice how to properly set file reading logging?
How can you tell the difference between users copying
files and users who are editing in place ?

I must confess I can't see how you're going to do
this even with perfect logging. Doesn't it depend
on the editor the clients are using too ?

Can you explain a little more ?