[PATCH] Audit logging of DSDB operations, password changes and group membership changes.

Andrew Bartlett abartlet at samba.org
Thu May 31 18:43:51 UTC 2018 

On Thu, 2018-05-31 at 20:01 +1200, Andrew Bartlett wrote:
> On Thu, 2018-05-31 at 11:49 +1200, Andrew Bartlett via samba-technical
> wrote:
> > On Thu, 2018-05-31 at 11:24 +1200, Gary Lockyer via samba-technical
> > wrote:
> > > Patches to log,
> > >       * Details all DSDB add, modify and delete operations. Logs
> > > 
> > >         attributes, values, session details, transaction id.
> > > 
> > >       * Transaction roll backs.
> > > 
> > >       * Prepare commit and commit failures.
> > > 
> > >       * Summary details of replicated updates.
> > >       * Group membership changes
> > >       * User primary group changes.
> > > 
> > > Review and push appreciated.
> > 
> > Thanks Gary.  Looking forward to sorting out the json return stuff with
> > you and Jeremy, but in the meantime:
> >  - please change audit_log_hr() to audit_log_human_text() 
> >  - please change connect_as_system() to
> > dcesrv_samdb_connect_as_system() and explain better in the comment
> > about it and header how it works (eg the commit text). 
> >  - explain the same on the backupkey and lsa side
> >  - test deleting an LSA secret via OpenSecret
> >  - add a #define (in a new commit) for the sessionInfo and
> > networkSessionInfo so we don't get typos in these constants. 
> >  - Use namespace prefixes in audit_util.c (remember we have a global C
> > scope, eg use dsdb_audit_util_)
> >  - Remove #ifdef HAVE_JANSSON from the tests (instead do not produce
> > the binary at all, which is more likely to be noticed). 
> > 
> > Finally, while I know you are on the run from the 80-column police,
> > this is just ugly:
> > 
> > +const char *get_modification_action(
> > +	unsigned int flags)
> > 
> > Otherwise, this looks pretty good!
> 
> Thanks for updating the branch at
> https://gitlab.com/catalyst-samba/samba/commits/gary-audit
> 
> The CI has past, and I've picked some of the prep patches into an
> autobuild for master just now.
> 
> In the first patch you need to make the build of the test binary depend
> on ENABLE_SELFTEST now it has the #ifdef removed.
> 
> Once that is fixed and I've given the main changes and tests a careful
> look I'll review and push the remaining patches.

I've fixed that up and pushed back to the branch.

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list