vfs_full_audit annoyances on major version upgrades
anders.ostling at gmail.com
Fri Mar 26 15:28:54 UTC 2021
Newbie here, but I would like to comment todays post by Andrew Walker’s regarding audit logging.
C systems programming is not new to me, although it is about 15 years since I wrote anything serious. The proposed patch looks fine to me, but I believe that a better way is to burp and inform the user about the change in keywords/syntax, at least when there are behind-the-scene changes like this one describes. Or maybe “testparm” should look at the config lines a little more in detail. Maybe both proposed solutions could be combined.
Another point is that the logging format from the AD-DC modules seems to be completely different from what SMBD uses. A common format would IMO make it much much easier to consolidate, parse and analyse logs in an automated way. Maybe that’s a pipers dream, but still … here is an example of what I mean
AD-DC (Global config for formatting full_audit:prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S - (seems to be ignored))
[2021/03/26 16:09:27.394208, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[anders at HOGANAS-PLATSLAGAREN.SE] at [Fri, 26 Mar 2021 16:09:27.394194 CET] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:10.0.100.14:39820] became [HPAB]\[anders] [S-1-5-21-1399469354-1941875790-2784827883-1601]. local host [NULL]
SMBD (Global config for formatting full_audit:prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S (used as specified)
Mar 26 16:10:45 fs1a smbd_audit: IP=10.0.100.14 | USER=HPAB\anders | MACHINE=10.0.100.14 | VOLUME=Dokument|get_nt_acl_at|ok|/share/documents
Mar 26 16:10:45 fs1a smbd_audit: IP=10.0.100.14 | USER=HPAB\anders | MACHINE=10.0.100.14 | VOLUME=Dokument|close|ok|/share/documents
I have a few more thoughts, but I will save them for later. I will download the sources myself and see if I can understand hos logging is structured. Who knows, maybe this old fart can contribute with something later on!
More information about the samba-technical