Home

Samba Logging for Audit Trails

Issue 120

From Issue #120
April 2004

Apr 01, 2004  By Edward Kablaoui
 in
Audit trails are a network security requirement for both Northrop Grumman and its customers. A small modification to Samba enabled the company's sysadmins to create the needed audit trails.

Listing 1. Log Entries from /var/log/samba/log.smbd

[2003/11/25 17:13:12, 0] smbd/server.c:main(791)
    smbd version 2.2.8a started.
  Copyright Andrew Tridgell and the \
    Samba Team 1992-2002
[2003/11/25 17:17:32, 0] \
    rpc_server/srv_netlog_nt.c:_net_sam_logon(643)
  Logon . Domain:[NETDOMAIN].\
    HostName:[192.168.0.15]. \
    User:[john]. FAILED No Such User
[2003/11/25 17:17:55, 0] \
    rpc_server/srv_netlog_nt.c:_net_sam_logon(665)
  Logon . Domain:[NETDOMAIN]. \
    HostName:[192.168.0.15]. \
    User:[bill]. FAILED Incorrect Password
[2003/11/25 17:18:33, 0] \
    rpc_server/srv_netlog_nt.c:_net_sam_logon(691)
  Logon . Domain:[NETDOMAIN]. \
    HostName:[192.168.0.15] \
    User:[bill] Successfully Logged On
[2003/11/25 17:19:34, 0] \
    smbd/chgpasswd.c:check_oem_password(836)
  check_oem_password: incorrect password length \
    (262218674) for user bill.
[2003/11/25 17:19:46, 0] \
    smbd/chgpasswd.c:chgpasswd(474)
  Password Change: user bill, \
    New password is shorter than minimum password \
    length = 8
[2003/11/25 17:21:29, 0] \
    smbd/chgpasswd.c:chat_with_program(450)
  Password Change . User:[bill] \
    Password Successfully Changed
[2003/11/25 17:16:58, 0] \
    smbd/service.c:close_cnum(680)
  clientPC (192.168.0.15) \
    closed connection to service bill

Users can be added to the domain by running the command smbpasswd -a username as root and setting the user password. The passwords are stored in the /etc/samba/private/smbpasswd file. Users also can be disabled with the command smbpasswd -d and enabled by running smbpasswd -e.

For more details on configuring Samba for Windows 2000 clients and understanding SMB protocols, O'Reilly's Using Samba, Second Edition, by Jay Ts, Robert Eckstein and David Collier-Brown, is an excellent reference.

Modifying Samba Source Code for Audit Trails

Once the network was configured and working properly, the next step was to record the required information for the audit trails in the log.smbd file. Initially, this was attempted by setting various logging levels in the smb.conf file, restarting the Samba dæmons by executing /etc/init.d/samba restart and then analyzing the output from the log files while performing various tasks on a Windows 2000 client. Unfortunately, regardless of the log level, none of the required information was being logged. At this point, it became obvious that modifications to the source code were necessary to generate the log entries.

The Samba source code is in the samba-2.2.8a/source directory and is the root directory for the filename in the log messages. The first entry in Listing 1 shows the file as smbd/server.c:main(791). By examining line 791 in the samba-2.2.8a/source/smbd/server.c file, you can see the DEBUG macro is used to generate the log message. The syntax for the DEBUG macro is: 

DEBUG(log_level, "string", arguments);

The format for the second and third arguments is similar to the printf function. Examples of custom DEBUG statements are shown in Listings 2 through 4.

Listing 2. DEBUG Calls Added to source/rpc_server/srv_netlog_nt.c


632  /* get the account information */
633  pdb_init_sam(&sampass);
634  become_root();
635  ret = pdb_getsampwnam(sampass, nt_username);
636  unbecome_root();
637
638
639  if (!ret)
640  {
641     pdb_free_sam(sampass);
642     // ESK
631  /* checks for failed users */
643     DEBUG(0,("Logon . Domain:[%s]. HostName: \
       [%s]. User:[%s]. FAILED No Such User \n",
             lp_workgroup(),
             client_addr(),
             nt_username));
644     return NT_STATUS_NO_SUCH_USER;
645  }
646
647  acct_ctrl = pdb_get_acct_ctrl(sampass);
630  map_username(nt_username);
.
.
.
663  /* Check for failed password */
664  if (!NT_STATUS_IS_OK(status)) {
665     DEBUG(0,("Logon . Domain:[%s]. HostName: \
   [%s]. User:[%s]. FAILED Incorrect Password \n",
             lp_workgroup(),
             client_addr(),
             nt_username));
666     pdb_free_sam(sampass);
667     return status;
668  }
.
.
.
669 /* Check PAM Password */
670 #ifdef WITH_PAM
671  become_root();
672  status =
   smb_pam_accountcheck(pdb_get_username(sampass));
673  unbecome_root();
674  if (!NT_STATUS_IS_OK(status)) {
675     pdb_free_sam(sampass);
676     DEBUG(0,("Logon . Domain:[%s]. HostName: \
   [%s]. User:[%s]. FAILED Incorrect Password \n",
                lp_workgroup(),
                client_addr(),
                nt_username));
677     return status;
678  }
679 #endif
.
.
.
690   /* Makes it to this point you have
         successfully logged on */
691   DEBUG(0,("Logon . Domain:[%s]. HostName: \
       [%s] User:[%s] Successfully Logged On\n",
                lp_workgroup(),
                client_addr(),
                nt_username));
______________________

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions