samba - Dec 2022 - samba file access rate limiting

On 06/12/2022 17:45, Jeremy Allison via samba wrote:
> On Tue, Dec 06, 2022 at 01:44:09PM +0100, Petr via samba wrote:
>> Hello,
>>
>> I have one share with sensitive data and there is many employees with 
>> access to that share. I need to ban users trying to copy files from 
>> share to other place but users normally editing files left without any 
>> restriction.
>>
>> I want to set proper logging and set fail2ban to ban user accessing 
>> too many files in some time limit.
>>
>> I have not find solution how to set samba to log every file access. 
>> The current configuration snippet is below.
>>
>> vfs objects = full_audit
>> full_audit:prefix = %u|%I
>> full_audit:success = create_file
>>
>> Problem is that it logs directory access too and sometimes it 
>> generates many duplicite lines and it will be hard to define correct 
>> regex for fail2ban.
>>
>> Do you have any advice how to properly set file reading logging?
> 
> How can you tell the difference between users copying
> files and users who are editing in place ?
> 
> I must confess I can't see how you're going to do
> this even with perfect logging. Doesn't it depend
> on the editor the clients are using too ?
> 
> Can you explain a little more ?
I wondered about this and my first thought was:

What is to stop someone with 'access' permissions opening a file and 
then saving a copy locally ?

If a user can read it, they can copy it, so the first thing to do is, 
restrict who can access the share.

You do not need fail2ban, you just need to deny access to those who 
cannot edit the files. You can also choose what operations are logged by 
vfs_full_audit, try reading its manpage.

Rowland

Dne 06. 12. 22 v 19:01 Rowland Penny via samba
napsal(a):
> 
> 
> On 06/12/2022 17:45, Jeremy Allison via samba wrote:
>> On Tue, Dec 06, 2022 at 01:44:09PM +0100, Petr via samba wrote:
>>> Hello,
>>>
>>> I have one share with sensitive data and there is many employees
with
>>> access to that share. I need to ban users trying to copy files from
>>> share to other place but users normally editing files left without 
>>> any restriction.
>>>
>>> I want to set proper logging and set fail2ban to ban user accessing
>>> too many files in some time limit.
>>>
>>> I have not find solution how to set samba to log every file access.
>>> The current configuration snippet is below.
>>>
>>> vfs objects = full_audit
>>> full_audit:prefix = %u|%I
>>> full_audit:success = create_file
>>>
>>> Problem is that it logs directory access too and sometimes it 
>>> generates many duplicite lines and it will be hard to define
correct
>>> regex for fail2ban.
>>>
>>> Do you have any advice how to properly set file reading logging?
>>
>> How can you tell the difference between users copying
>> files and users who are editing in place ?
>>
>> I must confess I can't see how you're going to do
>> this even with perfect logging. Doesn't it depend
>> on the editor the clients are using too ?
>>
>> Can you explain a little more ?
> 
> I wondered about this and my first thought was:
> 
> What is to stop someone with 'access' permissions opening a file
and
> then saving a copy locally ?
> 
> If a user can read it, they can copy it, so the first thing to do is, 
> restrict who can access the share.
> 
> You do not need fail2ban, you just need to deny access to those who 
> cannot edit the files. You can also choose what operations are logged by 
> vfs_full_audit, try reading its manpage.
> 
> Rowland
> 
The idea i simple but my be not correct. I anyone open 1 file in samba 
share, one OPEN event is logged and it is OK. I anyone copy whole 
directory with 100 files that 100 events is logged and if for example 
the limit is set to 60/minute....he will be banned.

The idea is to ban massive actions like copying whole share or some part 
of it.

Petr