Configuring GuardMode Agent for SAMBA setup
Before configuring the GuardMode Agent for SAMBA, it's crucial to ensure the system's configuration is in its initial state, especially for SAMBA VFS Full Audit, journald, and rsyslog.
The GuardMode Agent uses the VFS Full Audit module to monitor SAMBA share events. If you've customized this module for other purposes, contact support to check if it can be shared with the GuardMode Agent.
Tip. After installing the GuardMode Agent, avoid altering the SAMBA VFS Full Audit module configuration until it's removed.
Journald configuration
For journald, the SAMBA configuration script will set the following parameters:
RateLimitIntervalSec="10"
RateLimitBurst="20000"
There are no other specific requirements for journald configuration.
Rsyslog configuration
The GuardMode Agent uses the local5.debug
selector to transfer data between SAMBA and rsyslog. The configuration script will automatically adjust any usage of this selector to local5.info
. It will also modify the usage of local5.
to local5.*;local5.!=debug
and .*
to *.*;local5.!=debug
selectors to exclude local5.debug
.
Tip. If you need the local5.debug
selector for other purposes, you can configure SAMBA and rsyslog to use a different selector. In that case contact support for assistance.
Network configuration
The GuardMode Agent uses the local TCP port 65432 for data transfer between rsyslog and the Agent. This port must be open for the Agent to operate correctly. If you need to use a different TCP port, consult support on configuring rsyslog and the GuardMode Agent accordingly.
Changes to the OS Configuration During SAMBA Setup
During the SAMBA configuration for the GuardMode Agent, several modifications are made to the operating system:
SAMBA Configuration: The script modifies
/etc/samba/smb.conf
. For SAMBA versions 14.13 or below, it also modifies any other files included insmb.conf
where shares are defined. Additionally, the script adds/etc/samba/catalogic.audit.conf
.journald Configuration: The script adds a new file,
/etc/systemd/journald.conf.d/99-catalogic.conf
to configure journald.rsyslogd Configuration: The script modifies
/etc/rsyslog.conf
and any configuration files in/etc/rsyslog.d/
. It also adds/etc/rsyslog.d/catalogic.cfg
.
Configuring SAMBA for the GuardMode Agent
Attention! You should only runconfigure_smb.sh script
after setting up SAMBA and executing the install.sh
or upgrade.sh.
To configure SAMBA (along with journald and rsyslog) for the GuardMode Agent, run the SAMBA configuration script using:
Tip. For RHEL systems, the configuration script adds the following record to the SELinux policy:semanage port -a -t syslogd_port_t -p tcp 65432
Last updated