Admin logging SoC project requirements

Gerald (Jerry) Carter jerry at samba.org
Sat May 27 20:29:31 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael,

It's generally a reply-to-all world here so let's
keep things on the samba-technical list.

>> Here are some of the requirements I'd like to discuss
>> regarding the admin logging.   The logging should
>> help an admin achieve three things IMO
> 
> Your requirements are rather similar to what I was 
> preparing.  I'll get back to you with some more details
> in less than 24 hours.  Meanwhile some comments
> and questions...
>
>> 1. monitor activity the system
> Yepp.
> 
>> 2. audit changes to the system
> As in:
> - changes of the configuration or
> - changes of (and access to) files etc.?

I was thinking more of "User foo added a new printer"
or "New user biddle created by DOMAIN\Administrator".
Very similar to the Windows event IDs.

Auditing is kind of an interesting thing altogether.
I'm not sure how much we should focus on this
initially.  The thing is that auditing is controlled
by Windows clients setting System ACLs on objects.
once the logging plumbing is in place, it will make
support for SACLs easier.

>> 3. warn of potential problems and possibly advise
>>    on how to correct them
>
> That's on a configuration level, I suppose.

Here's an example I as thinking of.  If Samba (as a
member server), gets an "access denied" when trying to
connect to the DC using its machine account credentials,
the admin should be warned that the server might need
to be rejoined to the domain.

I don't think you should be responsible for figuring
out everything that should be logged but rather
to provide the plumbing that we need for logging
in the first place.  That way we can add new events
as they arise.  I think the best logging is learned
from experience with real systems.

Of course, we'll have to identify some events to
show that the system really does work :-)

>> I believe that the system should
>>
>> * Utilize syslog
> 
> I was thinking about offering a choice between syslog
> and apache-access-log-style (configurable in a similar 
> way, ie. a printf-%-line)

I'd be fine with that.  The key is to allow admins
to integrate the logs with existing tools.

> 
>> * Provide filters in smb.conf for which subsystems
>>   will log events (printing, account management,
>>   authentication, share management, etc...)
>> * Have a defined set of IDs for events
>> * Have a defined format string for easy parsing
> Yes.
> 
> I've looked into the code for the debugging 
> output (lib/debug.c and include/debug.h).  I'm
> not decided yet but I think I'd prefer *not*
> using these functions -- the requirements 
> seem too different to me. What do you think?

I agree completely.  Start from scratch.






cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEeLarIR7qMdg1EfYRAspPAJ9z8Qk7IGFxVeoRZpGZt9GluXx6/wCgqJDj
fwxaOmKQS8djsLnO7xHVn0k=
=5DZZ
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list