Track filesystem events triggered on Windows Server on a network drive mounted by Samba

  auditing, filesystems, linux, samba, windows

I need to track files open/creation/deletion, directories creation/deletion and permissions/ownership changes triggered by Windows Server 2016 users on a network drive mounted by Samba. The real filesystem and Samba server are on a CentOS7 system. All the filesystem operations must contain the ID of the user and the ID of the process which triggered it. The obvious solutions are Windows auditing and Windows FS change notification API, but both do not work with a Samba mount provided by Linux.

Regarding Windows auditing, I have enabled filesystem and file share auditing on the local group policy editor, but I get the following message when I try to enable auditing for the network drive in the Auditing tab in its advanced security settings: "You do not have permission to view or edit this object’s audit settings". I am a domain admin in the Windows system, so theoretically I should be able to enable auditing anywhere. I think this has something to do with Samba/Linux.

Regarding the Windows FS change notification API, I implemented a script with the ReadDirectoryChangesW function as explained in https://docs.microsoft.com/en-us/windows/win32/fileio/obtaining-directory-change-notifications. FS events are logged when watching local directories, but nothing is logged in the Samba mount.

Has anybody managed to get these two solutions working with a Samba mount which is mapped to a Linux EXT4/XFS filesystem? Are there any alternatives?

I managed to track the FS events on the Linux side using Linux’s Audit framework, but I miss the process ID, as Samba does not transmits that information to the Linux filesystem syscalls.

Source: Windows Questions

LEAVE A COMMENT