[PATCH] vfs_gpfs: add optional ACL auditing

Ralph Wuerthner ralphw at de.ibm.com
Mon Dec 19 12:04:26 UTC 2016

On 12/16/2016 05:24 PM, Christof Schmitt wrote:
> On Fri, Dec 16, 2016 at 03:17:18PM +0100, Ralph Böhme wrote:
>> On Fri, Dec 16, 2016 at 02:15:27PM +0100, Volker Lendecke wrote:
>>> On Fri, Dec 16, 2016 at 12:29:45PM +0100, Ralph Böhme wrote:
>>>> Attached is a patch for vfs_gpfs that adds an optional hook for kernel auditing
>>>> frameworks to audit ACL changes.
>>> While this probably works, I would appreciate an a *bit* more
>>> elaborate comment why this is necessary. To me this look rather
>>> hackish to be honest.
>> Ralph W., can you comment on this and disclose as much information as necessary
>> to get this past the gate. :)
>  From what i remember, this is to support auditing systems that hooks into the
> Linux kernel VFS. Calls from Samba to the GPFS library are not visible
> to the kernel VFS, so they will be missed by the auditing.
Christof is fully correct. This hack is currently the only way to 
trigger auditing of ACL changes without having auditing systems to hook 
into Samba.
> The "hack" here is to trigger an operation that is visible to the Linux
> kernel VFS, so that something can be logged in the auditing system.
> Besides this being hackish, i am wondering whether this also misses
> other interesting calls to GPFS from Samba such as:
> gpfs_set_share
> gpfs_set_winattrs
> gpfs_set_winattrs_path
> gpfs_set_times_path
> gpfs_prealloc
> Christof

The purpose of these auditing systems is to log access to files for 
providing an audit trail. From above list only gpfs_set_times_path() 
might be useful for this use case. Eventually gpfs_set_winattrs*() too, 
but this is still under discussion. For now we only focused on ACL 
changes, because this is a very important call to be logged by an 
auditing system.


     Ralph Wuerthner

More information about the samba-technical mailing list