On 06/12/2022 17:45, Jeremy Allison via samba wrote:> On Tue, Dec 06, 2022 at 01:44:09PM +0100, Petr via samba wrote:
>> Hello,
>>
>> I have one share with sensitive data and there is many employees with
>> access to that share. I need to ban users trying to copy files from
>> share to other place but users normally editing files left without any
>> restriction.
>>
>> I want to set proper logging and set fail2ban to ban user accessing
>> too many files in some time limit.
>>
>> I have not find solution how to set samba to log every file access.
>> The current configuration snippet is below.
>>
>> vfs objects = full_audit
>> full_audit:prefix = %u|%I
>> full_audit:success = create_file
>>
>> Problem is that it logs directory access too and sometimes it
>> generates many duplicite lines and it will be hard to define correct
>> regex for fail2ban.
>>
>> Do you have any advice how to properly set file reading logging?
>
> How can you tell the difference between users copying
> files and users who are editing in place ?
>
> I must confess I can't see how you're going to do
> this even with perfect logging. Doesn't it depend
> on the editor the clients are using too ?
>
> Can you explain a little more ?
I wondered about this and my first thought was:
What is to stop someone with 'access' permissions opening a file and
then saving a copy locally ?
If a user can read it, they can copy it, so the first thing to do is,
restrict who can access the share.
You do not need fail2ban, you just need to deny access to those who
cannot edit the files. You can also choose what operations are logged by
vfs_full_audit, try reading its manpage.
Rowland