[Samba] VFS Extended Auditing Module Debug Information
John H Terpstra
Given recent discussion on this list I have just updated the master Samba-Docs
information regarding the Debug Class (Log Level) settings and the audit
information each causes to be logged. This will appear in on-line versions of
the Samba-HOWTO-Collection within 24 hours. To obtain an updated version
point your browser at:
http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
The purpose of the extd_audit (Extended Audit) module is to permit logging of
critical file and directory access to BOTH syslog as well as to individual
log files. To create individual log file you can use:
log file = /var/log/samba/%U.%m.log
log level = 0 vfs:[012]
syslog = 0
ie:
log level = 0 vfs:0
or log level = 0 vfs:1
or log level = 0 vfs:2
In this example, syslog information will be only critical general samba
information, plus full detail for all VFS modules up to the log level
specified.
Please refer to the documentation in the VFS Modules chapter - the information
logged has changed from what was previously documented.
This will create an individual per-user-per-client log of all level 0, 1, or 2
action. See also the updated chapter on Debugging Samba (Chapter 34.3.1).
Despite recent criticism regarding the difficulty of establishing acceptable
auditing logs, this module is in use in a number of sites that require strict
auditability of file and directory operations.
Enjoy.
- John T.
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
rruegner
i just tried your examples with suse 9.0 samba 3.07
in globals
log file = /var/log/samba/%m.log
log level = vfs:2
syslog = 0
works but i have only create and rename messages in the log
a deletion is named unlinked ( sound miracle to me )
log file = /var/log/samba/%U.%m.log
creates test.testmachine.log
but only extd_audit is written to .testmachine.log
(%U.%m.log this doesnt work )
i have it like this in the share
[files3]
comment = public files
path = /files3
read only = No
guest ok = Yes
browseable = Yes
csc policy = disable
vfs objects = vscan-clamav, netatalk, extd_audit, recycle
recycle:keeptree = yes
recycle:versions = yes
recycle:touch = yes
recycle:exclude = ?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP
recycle:exclude_dir= /tmp,/temp,/cache
recycle:repository = .recycle/.recycle.%u
recycle:noversions = *.doc,*.xls,*.ppt
wheres my mistake?
and do you no what this full_audit module is?
-----------
[2004/09/23 14:37:14, 1] modules/vfs_extd_audit.c:audit_fchmod_acl(322)
vfs_extd_audit: fchmod_acl Neu Textdokument.txt mode 0x1e4 failed:
Keine Daten verfügbarvfs_extd_audit: opendir ./
[2004/09/23 14:37:14, 1] modules/vfs_extd_audit.c:audit_opendir(141)
[2004/09/23 14:37:40, 1] modules/vfs_extd_audit.c:audit_rename(232)
vfs_extd_audit: rename old: ./Neu Textdokument.txt new: ./testfile.txt
[2004/09/23 14:37:40, 1] modules/vfs_extd_audit.c:audit_opendir(141)
[2004/09/23 14:37:45, 0] modules/vfs_extd_audit.c:audit_unlink(250)
vfs_extd_audit: unlink testfile.txt
[2004/09/23 14:37:45, 1] modules/vfs_extd_audit.c:audit_opendir(141)
-------------
log level = 0 vfs:2 produces nothing in the logs
Regards
John H Terpstra schrieb:
Marco De Vitis
> log level = vfs:2
According to what John wrote, this is wrong. It should be something like:
log level = 0 vfs:2
> a deletion is named unlinked ( sound miracle to me )
That's correct: on Linux files are not really deleted, they are simply
"unlinked".
--
Ciao,
Marco.
..."Refugee", Refugee 1974
rruegner
hi,
log level = 0 vfs:2 didnt worked at my setup
no idea why, maybe suse special
log level = vfs:2 works
as far ive tested it
also not working
log file = /var/log/samba/%U.%m.log
i posted it to John as far no answer.
But John cant answer to everything, as i know.
i want really have such log files
any idea why this is not working?
Regards
Marco De Vitis schrieb:
> Il 23/09/2004, alle ore 14:40, rruegner ha scritto:
>
>
>> log level = vfs:2
>
>
> According to what John wrote, this is wrong. It should be something like:
>
> log level = 0 vfs:2
>
>
>>a deletion is named unlinked ( sound miracle to me )
>
>
> That's correct: on Linux files are not really deleted, they are simply
> "unlinked".
>
--
Marco De Vitis
> Given recent discussion on this list I have just updated the master Samba-Docs
> information regarding the Debug Class (Log Level) settings and the audit
Great, thanks!
Anyway something is still not clear to me. I quote from the updated howto:
> Logging can take place to the default log file (log.smbd) for all loaded
> VFS modules just be setting in the smb.conf file log level = 0 vfs:x,
> where x is the log level. This will disable general logging while
> activating all logging of VFS module activity at the log level
> specified.
Apart from "be" -> "by" (I suppose), does this mean that a global log
level of zero is NECESSARY for correct extd_audit logging? Or is it just a
suggestion?
Also, this "vfs:x" parameter looks like a global VFS parameter. Does this
mean that any other VFS module which outputs debug information (I don't
know if others exist) will be affected by it?
> log level = 0 vfs:[012]
> syslog = 0
> ie:
> log level = 0 vfs:0
> or log level = 0 vfs:1
> or log level = 0 vfs:2
>
> In this example, syslog information will be only critical general samba
I just tried these settings:
log file = /var/log/samba/%m.%U.log
syslog = 0
log level = 0 vfs:2
max log size = 0
...and restarted samba (3.0.7), but I still get lots of smbd_audit stuff
in syslog, and ONLY in syslog (i.e. not in samba logfiles): open, close,
opendir, rename, chmod...
> Despite recent criticism regarding the difficulty of establishing acceptable
I'm not critic regarding audit, I'm critic regarding docs about it. ;)
Let me explain: when using Samba 2.x I expressed on some mailing lists the
desire for good auditing on file access, and I was told that the audit VFS
module in Samba 3 was the answer to my problems. I now finally got to use
Samba 3, but I felt lost regarding the way to obtain usable audit logs,
and so a bit disappointed.
As far as I can see, this is a fairly popular topic, so maybe it should be
documented in more detail, covering all doubts users seem to express on
the subject.
Anyway your new additions to the howto are already a good step forward, I
now have a clearer idea of what I should do.
--
Ciao,
Marco.
..."Kid A", Radiohead 2000
John H Terpstra
> Subject: [Samba] Re: VFS Extended Auditing Module Debug Information
> From: "Marco De Vitis" <star...@spin.it>
> Date: Mon, September 27, 2004 9:44 am
> To: sa...@lists.samba.org
>
> Il 23/09/2004, alle ore 8:22, John H Terpstra ha scritto:
>
> > Given recent discussion on this list I have just updated the master Samba-Docs
> > information regarding the Debug Class (Log Level) settings and the audit
>
> Great, thanks!
>
> Anyway something is still not clear to me. I quote from the updated howto:
>
> > Logging can take place to the default log file (log.smbd) for all loaded
> > VFS modules just be setting in the smb.conf file log level = 0 vfs:x,
> > where x is the log level. This will disable general logging while
> > activating all logging of VFS module activity at the log level
> > specified.
>
> Apart from "be" -> "by" (I suppose), does this mean that a global log
Oops. I'll fix that typo.
> level of zero is NECESSARY for correct extd_audit logging? Or is it just a
> suggestion?
Suggestion to keep log noise level down.
>
> Also, this "vfs:x" parameter looks like a global VFS parameter. Does this
> mean that any other VFS module which outputs debug information (I don't
> know if others exist) will be affected by it?
Correct. All VFS modules will be affected. The alternative is to modify
a VFS module so it will read the log level info and thereby affect
just its own actions.
>
> > log level = 0 vfs:[012]
> > syslog = 0
> > ie:
> > log level = 0 vfs:0
> > or log level = 0 vfs:1
> > or log level = 0 vfs:2
> >
> > In this example, syslog information will be only critical general samba
>
> I just tried these settings:
>
> log file = /var/log/samba/%m.%U.log
> syslog = 0
> log level = 0 vfs:2
> max log size = 0
>
> ...and restarted samba (3.0.7), but I still get lots of smbd_audit stuff
> in syslog, and ONLY in syslog (i.e. not in samba logfiles): open, close,
> opendir, rename, chmod...
I've had the same report from others. I'll look into this when I get
some time.
>
> > Despite recent criticism regarding the difficulty of establishing acceptable
>
> I'm not critic regarding audit, I'm critic regarding docs about it. ;)
;)
>
> Let me explain: when using Samba 2.x I expressed on some mailing lists the
> desire for good auditing on file access, and I was told that the audit VFS
> module in Samba 3 was the answer to my problems. I now finally got to use
> Samba 3, but I felt lost regarding the way to obtain usable audit logs,
> and so a bit disappointed.
Understood. I just discovered that someone has been hacking on the
source code and has changed the way it works without updating the
documentation! Argh!
>
> As far as I can see, this is a fairly popular topic, so maybe it should be
> documented in more detail, covering all doubts users seem to express on
> the subject.
> Anyway your new additions to the howto are already a good step forward, I
> now have a clearer idea of what I should do.
OK. More to follow when I get some time to sort this out.
- John T.
Marco De Vitis
> also not working
> log file = /var/log/samba/%U.%m.log
It works fine here, since Samba 2.x. Actually I use it the reverse way:
%m.%U.log
Some files are created as "machinename..log", without username, but I
suppose that's normal: they are probably used to log events taking place
when no user has been authenticated yet, or something like that.
--
Ciao,
Marco.
..."Dig?", Bill Bruford's Earthworks 1989
rruegner
log file = /var/log/samba/%U.%m.log
works for me in the way , that all logs get created
so this is not my problem , but in my case
the vfs extd_audit info is only showing up
in the file %m.log which
is not the desired function i need,
but i have read Johns post to the stuff and
it seems that vfs extd_audit is not stable ( under coding current ) at
the moment
so i will wait new things are coming up
Regards
Marco De Vitis schrieb:
> Il 27/09/2004, alle ore 18:23, rruegner ha scritto:
>
>
>>also not working
>>log file = /var/log/samba/%U.%m.log
>
>
> It works fine here, since Samba 2.x. Actually I use it the reverse way:
> %m.%U.log
>
> Some files are created as "machinename..log", without username, but I
> suppose that's normal: they are probably used to log events taking place
> when no user has been authenticated yet, or something like that.
>
--
John H Terpstra
> Il 23/09/2004, alle ore 8:22, John H Terpstra ha scritto:
> > Given recent discussion on this list I have just updated the master
> > Samba-Docs information regarding the Debug Class (Log Level) settings and
> > the audit
>
> Great, thanks!
>
> Anyway something is still not clear to me. I quote from the updated howto:
> > Logging can take place to the default log file (log.smbd) for all loaded
> > VFS modules just be setting in the smb.conf file log level = 0 vfs:x,
> > where x is the log level. This will disable general logging while
> > activating all logging of VFS module activity at the log level
> > specified.
>
> Apart from "be" -> "by" (I suppose), does this mean that a global log
> level of zero is NECESSARY for correct extd_audit logging? Or is it just a
> suggestion?
Fixed in the source tree now.
- John T.
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.
rruegner
log level = 2 vfs:1
log file = /var/log/samba/%U.%m.log
syslog = 0
now works ,as i wanted the logs to be
Thx
John H Terpstra schrieb: