auditing patch for samba

Andrew Bartlett abartlet at pcug.org.au
Thu Feb 21 17:37:04 GMT 2002 

Andy Bakun wrote:
> 
> About every three or four months, I get an email from someone who needs
> Samba auditing and who found my web page with my patch against 2.0.7 on
> it (http://thwartedefforts.org/software/samba/samba-audit.html).  When
> it was originally written, the VFS interface wasn't finalized.
> 
> So a few weeks ago I got another email asking if I had a patch for it
> against 2.2.3.  I was going to update it against 2.2.3, and decided to
> do a VFS module of it.  I came across the sample VFS module that does
> auditing, but it doesn't seem like the auditing it does is as useful as
> the kind of auditing mine does.   Mine records the actions, not the
> function calls, seems like there would be a lot of extra information in
> the VFS sample auditing output to wade through to find what you'd need.
> 
> But the biggest problems I had in porting mine over to use VFS are the
> following:
> - a lack of decent documentation on the VFS interface, specificly how it
> interfaces with smb.conf
> - (apparently) a single parameter gets passed to the VFS module from
> smb.conf, making it difficult to pass all my auditing options to the VFS
> module, and it would be difficult to read and parse for both humans and
> machines.

This is a bit messy atm.  I hope it gets cleaned up at some stage.

> - lack of VFS module nesting, having to either audit a share or use
> another VFS module would be an unwelcome limitation.  I was going to
> take a crack at writing this, but since the VFS interface isn't
> documented really well, I don't want to put a lot of time into it
> because ...

I understand that Alexander Bokovoy <a.bokovoy at sam-solutions.net> is
looking at this.

> - there seems to be a complete lack of actual VFS modules for samba (and
> as such, there would be nothing to nest).  If it's not very popular
> because of lack of documentation or there is little documentation
> because of lack of interest in VFS is unknown.  I suspose it could just
> be that there are few things that people need VFS for.

Currently the main this is for virus scanners, and I think the
--with-netatalk stuff is going to be re-implemented that way as well. 
(That code got lost in the transition to the VFS).

> I really don't think auditing should be an add-on VFS module.  Bugs in
> other VFS modules (assuming they will eventually be nested) might keep
> it from working.  I'm of the opinion that it should be integrated.

I don't find this a convincing argument.  If your module is first in the
stack (which is where an audit module should be) then no other module
should be able to affect it.

> I also don't use auditing for samba anymore (I've worked for three other
> companies since then), but I'm willing to maintain it as long as I can
> get it folded into the main release.  I've been out of the samba
> development loop for a while (just recently resubscribed to samba-tech)
> so I'm not familar with the current method of getting things into the
> tree... can the public commit?  

Only team members can commit.

> Whose ass do I have to kiss?  Do I need
> to provide more rationale once I get the code ported to 2.2.3?  

The more explaination the better. 

> It
> didn't take much to get my 'restrict anonymous' patch added, but there
> seemed to be an obvious need for it at the time.  

The 'restrict anonymous' paramater has been removed from HEAD, as I
broke it during the auth-rewrite and could not find the rationale behind
it.  In particular, its highly confusing name (conflicting with the NT
Registry key of the same name) didn't help.

The standards for patches are incresing - I'm certainly getting very
strict on the patches I will apply.  I'm also working very hard to
ensure that there is a good reason for certain code to be in Samba,
becouse this project is getting very large already.

> People obviously (at
> least to me) need/want auditing integrated into Samba.

Auditing is an interesting area - and I don't object to the idea of
including this functionality in Samba - but I think it is best to use
the VFS interface.  (This should not preclude inclusion in the tree
however - but I'm not exactly sure how it would work).

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list