[Samba] full_audit uncertainties

mj lists at merit.unu.edu
Mon Jun 28 12:54:46 UTC 2021


Hi,

We have full_audit configured like this, for testing:

> [global]
> 
> #    full_audit:success = mkdirat renameat unlinkat open connect
>     full_audit:success = none
> #    full_audit:failure = mkdirat renameat unlinkat connect
>     full_audit:failure = none
>     full_audit:prefix = IP=%I | USER=%u | MACHINE=%m | VOLUME=%S
>     full_audit:facility = local7
>     full_audit:priority = NOTICE

We set both success and failure temporarily to NONE, since our 
(original, commented out) full_audit config was causing way to much traffic.

So we set everything to NONE expecting that nothing would be logged, and 
we could slowly enable specific items again, and monitor.

However, much to our surprise with the above full_audit NONE config, 
full_audit is still generating *a lot* of logging, like this:

> Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|sys_acl_get_file|ok|/home/username
> Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|getxattr|fail (No data available)|/home/username|user.SAMBA_PAI
> Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_nt_acl_at|ok|/home/username
> Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|fs_file_id|ok|1074561160
> Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_alloc_size|ok|0
> Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|close|ok|/home/username
> Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|stat|ok|/home/username
> Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|getxattr|fail (No data available)|/home/username|user.DOSATTRIB
> Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_dos_attributes|fail (No data available)|/home/username
> Jun 28 14:29:13 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_alloc_size|ok|0
> 
> Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|sys_acl_get_file|ok|/home/username/certificates/strategic plan
> Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|sys_acl_get_file|ok|/home/username/certificates/strategic plan
> Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|getxattr|fail (No data available)|/home/username/certificates/strategic plan|user.SAMBA_PAI
> Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_nt_acl_at|ok|/home/username/certificates/strategic plan
> Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_alloc_size|ok|0
> Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|close|ok|/home/username/certificates/strategic plan
> Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|stat|ok|/home/username/certificates/strategic plan
> Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|getxattr|ok|/home/username/certificates/strategic plan|user.DOSATTRIB
> Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_dos_attributes|ok|/home/username/certificates/strategic plan
> Jun 28 14:33:35 memberserver smbd_audit[16214]: IP=192.168.89.4 | USER=SAMDOM\username | MACHINE=desktop-9piq0bp | VOLUME=username|get_alloc_size|ok|0

I tried adding !get_alloc_size !sys_acl_get_file !getxattr to the 
full_audit:success config but it just does goes on.

Can anyone explain what we are doing wrong? This is on 4.13.7

Thanks!

MJ



More information about the samba mailing list