Our company has a file server, a Debian Squeeze 64 bits, sharing some folders to Linux servers using NFSv2 and to Windows workstations using Samba.
I want to log access to a specific set of shared files.
I installed and configured the full_audit Samba module, which log Samba operations, using the following configuration.
[MY_SHARE]
path = /share/directory_to_watch
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = pread read
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = warning
The problem is that logs appears logging actions that the user didn't do : from a Windows workstation, you go in a folder by clicking on it and stop here, and then every files in the folder are marked as read in the logs. So full_audit is clearly not a reliable tool. Or am I doing something wrong ?
I tried to install the Linux tool auditd on my file server. This tool logs system calls on the machine where it is installed. But when users access the files I want to monitor via the NFS mounts on others servers, system calls occurs on the server mounting the share, not on the file server (that is the way NFS works). And I want to avoid a situation where I am supposed to deploy monitoring tool everywhere.
So questions are : does anyone met the same problem than me with the full_audit Samba module ? Does anyone know a good way to log file access on a NFS server ?
