[PATCH] samba3 auditing server-side

Guenther Deschner gd at samba.org
Wed Apr 12 11:12:54 GMT 2006 

Hi,

On Wed, Apr 12, 2006 at 09:33:44AM +0200, Stefan (metze) Metzmacher wrote:
> Guenther Deschner schrieb:
> > Hi,
> > 
> > Jeremy, Lars and me recently discussed how we could have exact tracking of
> > auditable events in the samba3 code. As we now understand better how to
> > remotely manage auditing policies, here is draft patch of how we could do
> > the server-side of auditing.
> > 
> > The patch just works for ldapsam (the auditing settings are replicated
> > between DCs). That way, we could add the matching audit events with the
> > correct event IDs (which are mostly well known and documented) using
> > AUDIT_SUCCESS/AUDIT_FAILURE calls where appropriate in a very similar
> > manner as windows does. 
> > 
> > It would be then rather easy to have a kind of "audit backend" parameter
> > to send the audit events not only to the DEBUG macro but also to syslog or
> > any other kind of auditing framework. 
> 
> Hi Guenther,
> 
> does this auditing also has to do with the SACL auditing or is this
> completly different?

It would just enable the SACL auditing (by enabling the
LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS category). The way we end up
implementing SACLs is completly independent from the policy
infrastructure which would just control: "do SACL auditing for success,
failure, both or not at all".

> Does Windows machines return NT_STATUS_AUDIT_FAILED to the client,
> if the auditing fails? 

This I don't know yet, that was just a wild guess. Maybe
NT_STATUS_AUDIT_FAILED will be returned when the eventlog is full and has
to shutdown. This needs research.

> Maybe AUDIT_SUCCESS() and AUDIT_FAILURE() should
> be just void functions...

Yep, that's right.

Thanks,
Guenther

-- 
Günther Deschner                    GPG-ID: 8EE11688
Novell / SUSE LINUX                       gd at suse.de
Samba Team                              gd at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060412/e3293b40/attachment.bin

More information about the samba-technical mailing list