An event reporting framework for Samba

Jeremy Allison jra at
Mon Jan 25 21:27:02 UTC 2016

On Mon, Jan 25, 2016 at 09:09:23AM +0100, Stefan Metzmacher wrote:
> Hi Richard,
> >> Yes, I think we should try to base this on the SACLs of security descriptors
> >> as much as possible. This would solve the problem for everything that
> >> is protected by a security descriptor not just files.
> >>
> >> I'm wondering why you added SMB_VFS_AUDIT_FILE() with
> >>;a=commitdiff;h=0dc3f423d25d3a50fa39ecee8a8ca13cdfe32267
> >> and never add any use to it. Should we remove that again as it's
> >> completely unused?
> > 
> > It was added as a way to have NTFS-style auditing, but then I never
> > found a use for it, since most people don't use that, it seems.
> > 
> > They would rather use stuff like Varonis and etc (there's at least one
> > more of them around.)
> I guess these are software solutions which store the audit events?
> Are they also configure which events should be audited?
> I think it would be good to use the SACL as configuration for the
> auditing, but we would most likely not do Windows compatible auditing
> that can be retrieved via the eventlog interface.
> Having a way to use SACL based auditing would solve the same problem
> not only for directories and files and also for our AD database, printers,
> registry objects and many more.

+1 on this. We have the ability to store and evaluate SACLs
on most containers, and this is the natural way to do this.

> My point is that SMB_VFS_AUDIT_FILE() is never called anywhere in smbd,
> so an implementation of it within a module would be pointless.

Probably need to remove this for 4.4.x VFS.

More information about the samba-technical mailing list