An event reporting framework for Samba

Richard Sharpe realrichardsharpe at gmail.com
Tue Jan 26 01:37:02 UTC 2016 

On Mon, Jan 25, 2016 at 12:09 AM, Stefan Metzmacher <metze at samba.org> wrote:
> Hi Richard,
>
>>> Yes, I think we should try to base this on the SACLs of security descriptors
>>> as much as possible. This would solve the problem for everything that
>>> is protected by a security descriptor not just files.
>>>
>>> I'm wondering why you added SMB_VFS_AUDIT_FILE() with
>>> https://git.samba.org/?p=samba.git;a=commitdiff;h=0dc3f423d25d3a50fa39ecee8a8ca13cdfe32267
>>> and never add any use to it. Should we remove that again as it's
>>> completely unused?
>>
>> It was added as a way to have NTFS-style auditing, but then I never
>> found a use for it, since most people don't use that, it seems.

Having reviewed the patch I see that it was not added to the most
important place, which was the evaluation of the ACL. If it were to
work the way Windows does, it should be evaluated along with the DACL.

>> They would rather use stuff like Varonis and etc (there's at least one
>> more of them around.)
>
> I guess these are software solutions which store the audit events?
> Are they also configure which events should be audited?

>From discussions with Varonis they have a Samba VFS module.

> I think it would be good to use the SACL as configuration for the
> auditing, but we would most likely not do Windows compatible auditing
> that can be retrieved via the eventlog interface.
>
> Having a way to use SACL based auditing would solve the same problem
> not only for directories and files and also for our AD database, printers,
> registry objects and many more.

Except that it would not handle some of the things people want to do
today, which is to send a stream of events to some sort of analytics
engine that can record things like creation, size changes,
permission/DACL changes, accesses, and so forth. Some of these can be
done with a SACL-based implementation but not the size change one.
Other things people might be interested in getting events for is when
the file was migrated to the cloud, when restored, etc.

>> As to whether it needs to be removed, I don't know. Maybe someone did
>> their own file-level auditing.
>
> My point is that SMB_VFS_AUDIT_FILE() is never called anywhere in smbd,
> so an implementation of it within a module would be pointless.

Yes, that is correct and was an oversight ...

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list