An event reporting framework for Samba

Stefan Metzmacher metze at
Mon Jan 25 08:09:23 UTC 2016

Hi Richard,

>> Yes, I think we should try to base this on the SACLs of security descriptors
>> as much as possible. This would solve the problem for everything that
>> is protected by a security descriptor not just files.
>> I'm wondering why you added SMB_VFS_AUDIT_FILE() with
>> and never add any use to it. Should we remove that again as it's
>> completely unused?
> It was added as a way to have NTFS-style auditing, but then I never
> found a use for it, since most people don't use that, it seems.
> They would rather use stuff like Varonis and etc (there's at least one
> more of them around.)

I guess these are software solutions which store the audit events?
Are they also configure which events should be audited?

I think it would be good to use the SACL as configuration for the
auditing, but we would most likely not do Windows compatible auditing
that can be retrieved via the eventlog interface.

Having a way to use SACL based auditing would solve the same problem
not only for directories and files and also for our AD database, printers,
registry objects and many more.

> As to whether it needs to be removed, I don't know. Maybe someone did
> their own file-level auditing.

My point is that SMB_VFS_AUDIT_FILE() is never called anywhere in smbd,
so an implementation of it within a module would be pointless.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list