[Samba] How should audit logging work?

Nick Howitt nick at howitts.co.uk
Tue Oct 12 17:38:36 UTC 2021



On 12/10/2021 11:21, Nick Howitt via samba wrote:
> 
> 
> 
> On 12/10/2021 10:55, Rowland Penny via samba wrote:
>>
>> By no means can you describe a PDC as a simple file server :-D
>>
> Sorry. ClearOS terminology :S
>>>
>>>
>>> [test]
>>>           vfs objects = full_audit:audit
>>
>> Try it like this:
>>
>>             vfs objects = full_audit audit
> 
> Hmm. That logs a single line:
> Oct 12 11:06:50 microserver smbd_audit[18821]: connect to service test 
> by user test1
> 
> It I do the edits I described I get a lot more when opening, creating 
> and deleting files:
> 
> Oct 12 11:17:48 microserver smbd_audit: test1|stat|fail (No such file or 
> directory)|/var/flexshare/shares/test/subdolder/New folder
> Oct 12 11:17:48 microserver smbd_audit: test1|stat|fail (No such file or 
> directory)|/var/flexshare/shares/test/subdolder/New folder
<big snip>
> Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail 
> (Operation not supported)|/var/flexshare/shares/test/21
> 
> Nick
> 
So paring down the config got the audit vfs to work, but the output does 
not seem to be much use for working out who did what.

it looks like the output from the full_audit vfs is better as it logs 
users and so on but there is so much output. The man page at 
https://www.samba.org/samba/docs/current/man-html/vfs_full_audit.8.html 
shows what can be monitored, but what do I ideally need?

The idea of enabling it is so a sysadmin can audit who 
added/deleted/changed what and when.

So far I see I may want some or all of:
open
rename
unlink
get_alloc_size #not sure
file_id_create
realpath #not sure
connectpath #not sure

Also what I probably don't want is:
!sys_acl_get_file
!get_nt_acl
!listxattr
!readdir
!telldir
!kernel_flock
!close
!get_dos_attributes
!getxattr
!chdir
!strict_lock_check
!getwd

But there are otherl like "stat" and so on.

Does anyone have any documentation on what all these operations are?

Also does anyone have any suggestions for a good set of operations to 
monitor?

Nick



More information about the samba mailing list