auditing patch for samba

Andy Bakun abakun at thwartedefforts.org
Thu Feb 21 16:06:04 GMT 2002


About every three or four months, I get an email from someone who needs 
Samba auditing and who found my web page with my patch against 2.0.7 on 
it (http://thwartedefforts.org/software/samba/samba-audit.html).  When 
it was originally written, the VFS interface wasn't finalized.

So a few weeks ago I got another email asking if I had a patch for it 
against 2.2.3.  I was going to update it against 2.2.3, and decided to 
do a VFS module of it.  I came across the sample VFS module that does 
auditing, but it doesn't seem like the auditing it does is as useful as 
the kind of auditing mine does.   Mine records the actions, not the 
function calls, seems like there would be a lot of extra information in 
the VFS sample auditing output to wade through to find what you'd need.

But the biggest problems I had in porting mine over to use VFS are the 
following:
- a lack of decent documentation on the VFS interface, specificly how it 
interfaces with smb.conf
- (apparently) a single parameter gets passed to the VFS module from 
smb.conf, making it difficult to pass all my auditing options to the VFS 
module, and it would be difficult to read and parse for both humans and 
machines.
- lack of VFS module nesting, having to either audit a share or use 
another VFS module would be an unwelcome limitation.  I was going to 
take a crack at writing this, but since the VFS interface isn't 
documented really well, I don't want to put a lot of time into it 
because ...
- there seems to be a complete lack of actual VFS modules for samba (and 
as such, there would be nothing to nest).  If it's not very popular 
because of lack of documentation or there is little documentation 
because of lack of interest in VFS is unknown.  I suspose it could just 
be that there are few things that people need VFS for.

I really don't think auditing should be an add-on VFS module.  Bugs in 
other VFS modules (assuming they will eventually be nested) might keep 
it from working.  I'm of the opinion that it should be integrated.

I also don't use auditing for samba anymore (I've worked for three other 
companies since then), but I'm willing to maintain it as long as I can 
get it folded into the main release.  I've been out of the samba 
development loop for a while (just recently resubscribed to samba-tech) 
so I'm not familar with the current method of getting things into the 
tree... can the public commit?  Whose ass do I have to kiss?  Do I need 
to provide more rationale once I get the code ported to 2.2.3?  It 
didn't take much to get my 'restrict anonymous' patch added, but there 
seemed to be an obvious need for it at the time.  People obviously (at 
least to me) need/want auditing integrated into Samba.

Andy Bakun
abakun at thwartedefforts.org

Damien Tougas wrote:

>Thanks, I will take a look at that, it sounds like that might be what I am
>looking for.
>
>>You should check out the VFS stuff included in the source dist, 
>>specifically the audit module. It's under examples/VFS. VFS is in a state 
>>of limbo now, but it does work, at least with the cvs version. It is an 
>>example module that logs all file open, creates, renames, etc to syslog.
>>







More information about the samba-technical mailing list