[PATCH] Audit logging of DSDB operations, password changes and group membership changes.

Andrew Bartlett abartlet at samba.org
Thu May 31 08:01:36 UTC 2018


On Thu, 2018-05-31 at 11:49 +1200, Andrew Bartlett via samba-technical
wrote:
> On Thu, 2018-05-31 at 11:24 +1200, Gary Lockyer via samba-technical
> wrote:
> > Patches to log,
> >       * Details all DSDB add, modify and delete operations. Logs
> > 
> >         attributes, values, session details, transaction id.
> > 
> >       * Transaction roll backs.
> > 
> >       * Prepare commit and commit failures.
> > 
> >       * Summary details of replicated updates.
> >       * Group membership changes
> >       * User primary group changes.
> > 
> > Review and push appreciated.
> 
> Thanks Gary.  Looking forward to sorting out the json return stuff with
> you and Jeremy, but in the meantime:
>  - please change audit_log_hr() to audit_log_human_text() 
>  - please change connect_as_system() to
> dcesrv_samdb_connect_as_system() and explain better in the comment
> about it and header how it works (eg the commit text). 
>  - explain the same on the backupkey and lsa side
>  - test deleting an LSA secret via OpenSecret
>  - add a #define (in a new commit) for the sessionInfo and
> networkSessionInfo so we don't get typos in these constants. 
>  - Use namespace prefixes in audit_util.c (remember we have a global C
> scope, eg use dsdb_audit_util_)
>  - Remove #ifdef HAVE_JANSSON from the tests (instead do not produce
> the binary at all, which is more likely to be noticed). 
> 
> Finally, while I know you are on the run from the 80-column police,
> this is just ugly:
> 
> +const char *get_modification_action(
> +	unsigned int flags)
> 
> Otherwise, this looks pretty good!

Thanks for updating the branch at
https://gitlab.com/catalyst-samba/samba/commits/gary-audit

The CI has past, and I've picked some of the prep patches into an
autobuild for master just now.

In the first patch you need to make the build of the test binary depend
on ENABLE_SELFTEST now it has the #ifdef removed.

Once that is fixed and I've given the main changes and tests a careful
look I'll review and push the remaining patches.

Thanks in particular for the DSDB_SESSION_INFO define.  That was long
overdue from well before your changes!

Thanks!

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list