An event reporting framework for Samba

Jeremy Allison jra at
Tue Jan 26 17:40:55 UTC 2016

On Mon, Jan 25, 2016 at 05:37:02PM -0800, Richard Sharpe wrote:
> On Mon, Jan 25, 2016 at 12:09 AM, Stefan Metzmacher <metze at> wrote:
> > Hi Richard,
> >
> >>> Yes, I think we should try to base this on the SACLs of security descriptors
> >>> as much as possible. This would solve the problem for everything that
> >>> is protected by a security descriptor not just files.
> >>>
> >>> I'm wondering why you added SMB_VFS_AUDIT_FILE() with
> >>>;a=commitdiff;h=0dc3f423d25d3a50fa39ecee8a8ca13cdfe32267
> >>> and never add any use to it. Should we remove that again as it's
> >>> completely unused?
> >>
> >> It was added as a way to have NTFS-style auditing, but then I never
> >> found a use for it, since most people don't use that, it seems.
> Having reviewed the patch I see that it was not added to the most
> important place, which was the evaluation of the ACL. If it were to
> work the way Windows does, it should be evaluated along with the DACL.
> >> They would rather use stuff like Varonis and etc (there's at least one
> >> more of them around.)
> >
> > I guess these are software solutions which store the audit events?
> > Are they also configure which events should be audited?
> From discussions with Varonis they have a Samba VFS module.
> > I think it would be good to use the SACL as configuration for the
> > auditing, but we would most likely not do Windows compatible auditing
> > that can be retrieved via the eventlog interface.
> >
> > Having a way to use SACL based auditing would solve the same problem
> > not only for directories and files and also for our AD database, printers,
> > registry objects and many more.
> Except that it would not handle some of the things people want to do
> today, which is to send a stream of events to some sort of analytics
> engine that can record things like creation, size changes,
> permission/DACL changes, accesses, and so forth. Some of these can be
> done with a SACL-based implementation but not the size change one.
> Other things people might be interested in getting events for is when
> the file was migrated to the cloud, when restored, etc.
> >> As to whether it needs to be removed, I don't know. Maybe someone did
> >> their own file-level auditing.
> >
> > My point is that SMB_VFS_AUDIT_FILE() is never called anywhere in smbd,
> > so an implementation of it within a module would be pointless.
> Yes, that is correct and was an oversight ...

Do you know if it's being used by a modified smbd in
any current OEM VFS modules ?

More information about the samba-technical mailing list