samba - May 2018 - vfs_full_audit and facility 'auth'...

On Fri, 11 May 2018 09:14:24 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > You would replace 'FACILITY' with one of the facilities shown
in
> > 'man syslog' e.g. full_audit:facility = LOG_AUTH
> 
> OK, done. But samba (as stated in previous email) still reply:
> 
>  [2018/05/08 17:34:42.388486,
> 0] ../source3/param/loadparm.c:1179(lp_enum) lp_enum(LOG_AUTH,enum):
> value is not in enum_list!
> 
> so seems that 'auth' and also 'LOG_AUTH' is not a valid
keyword...
> 
> 
> (debian jessie, systemd, samba 4.5 from louis repository)
> 
OK, if you look in 'man vfs_full_audit' is says this:

        full_audit:facility = FACILITY
           Log messages to the named syslog(3) facility.

If you then examine 'man syslog', 'LOG_AUTH' is a listed
facility, but
I can confirm that using it with vfs_full_audit doesn't work,
'LOCAL5'
does.

Does anybody know which of the facilities listed in 'man syslog'
actually work ? or do I have try each of them to find out ?

I have copied in samba technical on this.

Rowland

On 11 May 2018 at 10:58, Rowland Penny via samba <samba at
lists.samba.org>
wrote:
> On Fri, 11 May 2018 09:14:24 +0200
> Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> > Mandi! Rowland Penny via samba
> >   In chel di` si favelave...
> >
> > > You would replace 'FACILITY' with one of the facilities
shown in
> > > 'man syslog' e.g. full_audit:facility = LOG_AUTH
> >
> > OK, done. But samba (as stated in previous email) still reply:
> >
> >  [2018/05/08 17:34:42.388486,
> > 0] ../source3/param/loadparm.c:1179(lp_enum) lp_enum(LOG_AUTH,enum):
> > value is not in enum_list!
> >
> > so seems that 'auth' and also 'LOG_AUTH' is not a
valid keyword...
> >
> >
> > (debian jessie, systemd, samba 4.5 from louis repository)
> >
>
> OK, if you look in 'man vfs_full_audit' is says this:
>
>         full_audit:facility = FACILITY
>            Log messages to the named syslog(3) facility.
>
> If you then examine 'man syslog', 'LOG_AUTH' is a listed
facility, but
> I can confirm that using it with vfs_full_audit doesn't work,
'LOCAL5'
> does.
>
> Does anybody know which of the facilities listed in 'man syslog'
> actually work ? or do I have try each of them to find out ?
>
>
Use the source, Like! (c)

static int audit_syslog_facility(vfs_handle_struct *handle)
{
        static const struct enum_list enum_log_facilities[] = {
                { LOG_USER, "USER" },
                { LOG_LOCAL0, "LOCAL0" },
                { LOG_LOCAL1, "LOCAL1" },
                { LOG_LOCAL2, "LOCAL2" },
                { LOG_LOCAL3, "LOCAL3" },
                { LOG_LOCAL4, "LOCAL4" },
                { LOG_LOCAL5, "LOCAL5" },
                { LOG_LOCAL6, "LOCAL6" },
                { LOG_LOCAL7, "LOCAL7" },
                { -1, NULL}
        };

        int facility;

        facility = lp_parm_enum(SNUM(handle->conn), "full_audit",
"facility", enum_log_facilities, LOG_USER);

        return facility;
}

Clearly, the only possible facilities are LOCAL* and USER. That raises the
question why it's not mentioned in the man page and why is this limitation
in place?

With regards,
Timur Bakeyev.

On Fri, 11 May 2018 16:46:55 +0200
"Timur I. Bakeyev" <timur at freebsd.org> wrote:
> On 11 May 2018 at 10:58, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> 
> > On Fri, 11 May 2018 09:14:24 +0200
> > Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> >
> > > Mandi! Rowland Penny via samba
> > >   In chel di` si favelave...
> > >
> > > > You would replace 'FACILITY' with one of the
facilities shown in
> > > > 'man syslog' e.g. full_audit:facility = LOG_AUTH
> > >
> > > OK, done. But samba (as stated in previous email) still reply:
> > >
> > >  [2018/05/08 17:34:42.388486,
> > > 0] ../source3/param/loadparm.c:1179(lp_enum)
> > > lp_enum(LOG_AUTH,enum): value is not in enum_list!
> > >
> > > so seems that 'auth' and also 'LOG_AUTH' is not a
valid keyword...
> > >
> > >
> > > (debian jessie, systemd, samba 4.5 from louis repository)
> > >
> >
> > OK, if you look in 'man vfs_full_audit' is says this:
> >
> >         full_audit:facility = FACILITY
> >            Log messages to the named syslog(3) facility.
> >
> > If you then examine 'man syslog', 'LOG_AUTH' is a
listed facility,
> > but I can confirm that using it with vfs_full_audit doesn't work,
> > 'LOCAL5' does.
> >
> > Does anybody know which of the facilities listed in 'man
syslog'
> > actually work ? or do I have try each of them to find out ?
> >
> >
> Use the source, Like! (c)
Well yes, it is all very well and good saying that, but it depends on
two things, knowing where to look and then understanding C. I didn't
know where to look and to me 'C' comes between B & D ;-)
> 
> static int audit_syslog_facility(vfs_handle_struct *handle)
> {
>         static const struct enum_list enum_log_facilities[] = {
>                 { LOG_USER, "USER" },
>                 { LOG_LOCAL0, "LOCAL0" },
>                 { LOG_LOCAL1, "LOCAL1" },
>                 { LOG_LOCAL2, "LOCAL2" },
>                 { LOG_LOCAL3, "LOCAL3" },
>                 { LOG_LOCAL4, "LOCAL4" },
>                 { LOG_LOCAL5, "LOCAL5" },
>                 { LOG_LOCAL6, "LOCAL6" },
>                 { LOG_LOCAL7, "LOCAL7" },
>                 { -1, NULL}
>         };
> 
>         int facility;
> 
>         facility = lp_parm_enum(SNUM(handle->conn),
"full_audit",
> "facility", enum_log_facilities, LOG_USER);
> 
>         return facility;
> }
> 
> Clearly, the only possible facilities are LOCAL* and USER. That
> raises the question why it's not mentioned in the man page and why is
> this limitation in place?
Good questions and I don't know the answers to them, the other question
is, why does the man page say you can use any syslog facility when
obviously you cannot ?

Rowland

On Fri, 11 May 2018 17:56:44 +0200
"Timur I. Bakeyev" <timur at com.bat.ru> wrote:
> On 11 May 2018 at 17:00, Rowland Penny via samba-technical <
> samba-technical at lists.samba.org> wrote:
> 
> > On Fri, 11 May 2018 16:46:55 +0200
> > "Timur I. Bakeyev" <timur at freebsd.org> wrote:
> > >         static const struct enum_list enum_log_facilities[] = {
> > >                 { LOG_USER, "USER" },
> > >                 { LOG_LOCAL0, "LOCAL0" },
> > >                 { LOG_LOCAL1, "LOCAL1" },
> > >                 { LOG_LOCAL2, "LOCAL2" },
> > >                 { LOG_LOCAL3, "LOCAL3" },
> > >                 { LOG_LOCAL4, "LOCAL4" },
> > >                 { LOG_LOCAL5, "LOCAL5" },
> > >                 { LOG_LOCAL6, "LOCAL6" },
> > >                 { LOG_LOCAL7, "LOCAL7" },
> >
> 
> 
> > > Clearly, the only possible facilities are LOCAL* and USER. That
> > > raises the question why it's not mentioned in the man page
and
> > > why is this limitation in place?
> >
> > Good questions and I don't know the answers to them, the other
> > question is, why does the man page say you can use any syslog
> > facility when obviously you cannot ?
> >
> >
> Everyone lies! (c) Seems it's a day of quotes for me :)
> 
> something has to be fixed here - either man page or the code. I don't
> see much of the reason to limit facilities to those low-end, general
> purpose ones. AUTH, actually, makes sense for audit logs.
> 
> Question to developers.
> 
> With regards,
> Timur Bakeyev.
Well, I can prepare a patch to fix the man page, but would it be better
to fix the code to do what the man page says it can do now ?

Rowland

On 11 May 2018 at 18:21, Rowland Penny via samba-technical <
samba-technical at lists.samba.org> wrote:
> On Fri, 11 May 2018 17:56:44 +0200
> "Timur I. Bakeyev" <timur at com.bat.ru> wrote:
>
> > On 11 May 2018 at 17:00, Rowland Penny via samba-technical <
> > samba-technical at lists.samba.org> wrote:
> >
> > > On Fri, 11 May 2018 16:46:55 +0200
> > > "Timur I. Bakeyev" <timur at freebsd.org> wrote:
> > > >         static const struct enum_list enum_log_facilities[]
= {
> > > >                 { LOG_USER, "USER" },
> > > >                 { LOG_LOCAL0, "LOCAL0" },
> > > >                 { LOG_LOCAL1, "LOCAL1" },
> > > >                 { LOG_LOCAL2, "LOCAL2" },
> > > >                 { LOG_LOCAL3, "LOCAL3" },
> > > >                 { LOG_LOCAL4, "LOCAL4" },
> > > >                 { LOG_LOCAL5, "LOCAL5" },
> > > >                 { LOG_LOCAL6, "LOCAL6" },
> > > >                 { LOG_LOCAL7, "LOCAL7" },
> > >
> >
> >
> > > > Clearly, the only possible facilities are LOCAL* and USER.
That
> > > > raises the question why it's not mentioned in the man
page and
> > > > why is this limitation in place?
> > >
> > > Good questions and I don't know the answers to them, the
other
> > > question is, why does the man page say you can use any syslog
> > > facility when obviously you cannot ?
> > >
> > >
> > Everyone lies! (c) Seems it's a day of quotes for me :)
> >
> > something has to be fixed here - either man page or the code. I
don't
> > see much of the reason to limit facilities to those low-end, general
> > purpose ones. AUTH, actually, makes sense for audit logs.
> >
> > Question to developers.
>
> Well, I can prepare a patch to fix the man page, but would it be better
> to fix the code to do what the man page says it can do now ?
>
>
Fixing it in both ways is easy, but it would be nice to hear from the
developers, why did they choose such a limited set of syslog facilities.

Timur.