[PATCH] Audit logging of DSDB operations, password changes and group membership changes.
Andrew Bartlett
abartlet at samba.org
Thu May 31 18:43:51 UTC 2018
On Thu, 2018-05-31 at 20:01 +1200, Andrew Bartlett wrote:
> On Thu, 2018-05-31 at 11:49 +1200, Andrew Bartlett via samba-technical
> wrote:
> > On Thu, 2018-05-31 at 11:24 +1200, Gary Lockyer via samba-technical
> > wrote:
> > > Patches to log,
> > > * Details all DSDB add, modify and delete operations. Logs
> > >
> > > attributes, values, session details, transaction id.
> > >
> > > * Transaction roll backs.
> > >
> > > * Prepare commit and commit failures.
> > >
> > > * Summary details of replicated updates.
> > > * Group membership changes
> > > * User primary group changes.
> > >
> > > Review and push appreciated.
> >
> > Thanks Gary. Looking forward to sorting out the json return stuff with
> > you and Jeremy, but in the meantime:
> > - please change audit_log_hr() to audit_log_human_text()
> > - please change connect_as_system() to
> > dcesrv_samdb_connect_as_system() and explain better in the comment
> > about it and header how it works (eg the commit text).
> > - explain the same on the backupkey and lsa side
> > - test deleting an LSA secret via OpenSecret
> > - add a #define (in a new commit) for the sessionInfo and
> > networkSessionInfo so we don't get typos in these constants.
> > - Use namespace prefixes in audit_util.c (remember we have a global C
> > scope, eg use dsdb_audit_util_)
> > - Remove #ifdef HAVE_JANSSON from the tests (instead do not produce
> > the binary at all, which is more likely to be noticed).
> >
> > Finally, while I know you are on the run from the 80-column police,
> > this is just ugly:
> >
> > +const char *get_modification_action(
> > + unsigned int flags)
> >
> > Otherwise, this looks pretty good!
>
> Thanks for updating the branch at
> https://gitlab.com/catalyst-samba/samba/commits/gary-audit
>
> The CI has past, and I've picked some of the prep patches into an
> autobuild for master just now.
>
> In the first patch you need to make the build of the test binary depend
> on ENABLE_SELFTEST now it has the #ifdef removed.
>
> Once that is fixed and I've given the main changes and tests a careful
> look I'll review and push the remaining patches.
I've fixed that up and pushed back to the branch.
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list