[WIP] Log database changes.

Andrew Bartlett abartlet at samba.org
Mon May 14 08:41:59 UTC 2018 

On Sun, 2018-05-13 at 12:35 +0200, Stefan Metzmacher wrote:
> Am 10.05.2018 um 06:07 schrieb Andrew Bartlett via samba-technical:
> > On Mon, 2018-05-07 at 18:05 +0200, Stefan Metzmacher via samba-
> > technical wrote:
> > > Hi Gary,
> > > 
> > > > Current state of this task.
> > > > 
> > > > Comments appreciated.
> > > 
> > > Most of the preparation like the session guid looks good.
> > > 
> > > I'm wondering if we want to implement the auditing of the directory
> > > database similar to Windows using SACLs in the security descriptors
> > > instead of having custom modules for various types of events.
> > 
> > SACL support would still need the same infrastructure, it would just
> > provide a way to filter which events to audit, rather than the course-
> > grained filters we have here.
> > 
> > I see it as a version 2 kind of thing, we need to get this much in
> > first.  So far the client requests have been for class-based logging
> > (the filtering happens on external log analysis tools). 
> > 
> > I would also want to know clearly what the use case is for SACL
> > logging, because if it is only really valuable in conjunction with a
> > full Event Log and matching windows exactly, that would be much more
> > work.
> > 
> > As it stands, our ACLs are a pain to modify (outside the windows GUI),
> > so in the short time per-server smb.conf options, matching the audit
> > work done so far seem much more practical. 
> 
> Ok.
> 
> metze

Thanks Metze. 

Just to round this out:  On a walk over the weekend I considered a
design for the v2 you requested.  

In short, the modification audit code runs in the result callback and
can access controls passed back up on the result.  We can pass back up
a control indicating that the SACL was fired, and a future version of
the module could additionally log it in an audit_sacl class or such.  

This would build quite nicely on the existing infrastructure nicely, if
it is ever required.  As always a big part of the task would be the
required testing (which is where Gary is spending his days right now).

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list