An event reporting framework for Samba
Jeremy Allison
jra at samba.org
Mon Jan 25 21:27:02 UTC 2016
On Mon, Jan 25, 2016 at 09:09:23AM +0100, Stefan Metzmacher wrote:
> Hi Richard,
>
> >> Yes, I think we should try to base this on the SACLs of security descriptors
> >> as much as possible. This would solve the problem for everything that
> >> is protected by a security descriptor not just files.
> >>
> >> I'm wondering why you added SMB_VFS_AUDIT_FILE() with
> >> https://git.samba.org/?p=samba.git;a=commitdiff;h=0dc3f423d25d3a50fa39ecee8a8ca13cdfe32267
> >> and never add any use to it. Should we remove that again as it's
> >> completely unused?
> >
> > It was added as a way to have NTFS-style auditing, but then I never
> > found a use for it, since most people don't use that, it seems.
> >
> > They would rather use stuff like Varonis and etc (there's at least one
> > more of them around.)
>
> I guess these are software solutions which store the audit events?
> Are they also configure which events should be audited?
>
> I think it would be good to use the SACL as configuration for the
> auditing, but we would most likely not do Windows compatible auditing
> that can be retrieved via the eventlog interface.
>
> Having a way to use SACL based auditing would solve the same problem
> not only for directories and files and also for our AD database, printers,
> registry objects and many more.
+1 on this. We have the ability to store and evaluate SACLs
on most containers, and this is the natural way to do this.
> My point is that SMB_VFS_AUDIT_FILE() is never called anywhere in smbd,
> so an implementation of it within a module would be pointless.
Probably need to remove this for 4.4.x VFS.
More information about the samba-technical
mailing list