samba - Sep 2004 - VFS Extended Auditing Module Debug Information

Folks,

Given recent discussion on this list I have just updated the master Samba-Docs 
information regarding the Debug Class (Log Level) settings and the audit 
information each causes to be logged. This will appear in on-line versions of 
the Samba-HOWTO-Collection within 24 hours. To obtain an updated version 
point your browser at: 
	http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf

The purpose of the extd_audit (Extended Audit) module is to permit logging of 
critical file and directory access to BOTH syslog as well as to individual 
log files. To create individual log file you can use:

	log file = /var/log/samba/%U.%m.log
	log level = 0 vfs:[012]
	syslog = 0
ie:
	log level = 0 vfs:0
or	log level = 0 vfs:1
or	log level = 0 vfs:2

In this example, syslog information will be only critical general samba 
information, plus full detail for all VFS modules up to the log level 
specified.

Please refer to the documentation in the VFS Modules chapter - the information 
logged has changed from what was previously documented.

This will create an individual per-user-per-client log of all level 0, 1, or 2
action. See also the updated chapter on Debugging Samba (Chapter 34.3.1).

Despite recent criticism regarding the difficulty of establishing acceptable 
auditing logs, this module is in use in a number of sites that require strict 
auditability of file and directory operations.

Enjoy.

- John T.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.

Hi John ,
i just tried your examples with suse 9.0 samba 3.07

in globals
log file = /var/log/samba/%m.log
         log level = vfs:2
         syslog = 0
works but i have only create and rename messages in the log
a deletion is named unlinked ( sound miracle to me )

log file = /var/log/samba/%U.%m.log
creates test.testmachine.log
but only extd_audit is written to .testmachine.log
(%U.%m.log this doesnt work )

i have it like this in the share
[files3]
         comment = public files
         path = /files3
         read only = No
         guest ok = Yes
         browseable = Yes
         csc policy = disable
         vfs objects = vscan-clamav, netatalk, extd_audit, recycle
         recycle:keeptree = yes
         recycle:versions = yes
         recycle:touch = yes
         recycle:exclude = ?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP
         recycle:exclude_dir=  /tmp,/temp,/cache
         recycle:repository = .recycle/.recycle.%u
         recycle:noversions = *.doc,*.xls,*.ppt

wheres my mistake?
and do you no what this full_audit module is?

-----------
[2004/09/23 14:37:14, 1] modules/vfs_extd_audit.c:audit_fchmod_acl(322)
   vfs_extd_audit: fchmod_acl Neu Textdokument.txt mode 0x1e4 failed: 
Keine Daten verf?gbarvfs_extd_audit: opendir ./
[2004/09/23 14:37:14, 1] modules/vfs_extd_audit.c:audit_opendir(141)

[2004/09/23 14:37:40, 1] modules/vfs_extd_audit.c:audit_rename(232)
   vfs_extd_audit: rename old: ./Neu Textdokument.txt new: ./testfile.txt
[2004/09/23 14:37:40, 1] modules/vfs_extd_audit.c:audit_opendir(141)

[2004/09/23 14:37:45, 0] modules/vfs_extd_audit.c:audit_unlink(250)
   vfs_extd_audit: unlink testfile.txt
[2004/09/23 14:37:45, 1] modules/vfs_extd_audit.c:audit_opendir(141)
-------------

log level = 0 vfs:2 produces nothing in the logs

Regards

John H Terpstra schrieb:
> Folks,
> 
> Given recent discussion on this list I have just updated the master
Samba-Docs
> information regarding the Debug Class (Log Level) settings and the audit 
> information each causes to be logged. This will appear in on-line versions
of
> the Samba-HOWTO-Collection within 24 hours. To obtain an updated version 
> point your browser at: 
> 	http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
> 
> The purpose of the extd_audit (Extended Audit) module is to permit logging
of
> critical file and directory access to BOTH syslog as well as to individual 
> log files. To create individual log file you can use:
> 
> 	log file = /var/log/samba/%U.%m.log
> 	log level = 0 vfs:[012]
> 	syslog = 0
> ie:
> 	log level = 0 vfs:0
> or	log level = 0 vfs:1
> or	log level = 0 vfs:2
> 
> In this example, syslog information will be only critical general samba 
> information, plus full detail for all VFS modules up to the log level 
> specified.
> 
> Please refer to the documentation in the VFS Modules chapter - the
information
> logged has changed from what was previously documented.
> 
> This will create an individual per-user-per-client log of all level 0, 1,
or 2
> action. See also the updated chapter on Debugging Samba (Chapter 34.3.1).
> 
> Despite recent criticism regarding the difficulty of establishing
acceptable
> auditing logs, this module is in use in a number of sites that require
strict
> auditability of file and directory operations.
> 
> Enjoy.
> 
> - John T.

Il 23/09/2004, alle ore 8:22, John H Terpstra ha scritto:
> Given recent discussion on this list I have just updated the master
Samba-Docs
> information regarding the Debug Class (Log Level) settings and the audit 
Great, thanks!

Anyway something is still not clear to me. I quote from the updated howto:
> Logging can take place to the default log file (log.smbd) for all loaded
> VFS modules just be setting in the smb.conf file log level = 0 vfs:x,
> where x is the log level. This will disable general logging while
> activating all logging of VFS module activity at the log level
> specified.
Apart from "be" -> "by" (I suppose), does this mean that
a global log
level of zero is NECESSARY for correct extd_audit logging? Or is it just a
suggestion?

Also, this "vfs:x" parameter looks like a global VFS parameter. Does
this
mean that any other VFS module which outputs debug information (I don't
know if others exist) will be affected by it?
> 	log level = 0 vfs:[012]
> 	syslog = 0
> ie:
> 	log level = 0 vfs:0
> or	log level = 0 vfs:1
> or	log level = 0 vfs:2
> 
> In this example, syslog information will be only critical general samba 
I just tried these settings:

        log file = /var/log/samba/%m.%U.log
        syslog = 0
	log level = 0 vfs:2
	max log size = 0
	
...and restarted samba (3.0.7), but I still get lots of smbd_audit stuff
in syslog, and ONLY in syslog (i.e. not in samba logfiles): open, close,
opendir, rename, chmod...
> Despite recent criticism regarding the difficulty of establishing
acceptable
I'm not critic regarding audit, I'm critic regarding docs about it. ;)

Let me explain: when using Samba 2.x I expressed on some mailing lists the
desire for good auditing on file access, and I was told that the audit VFS
module in Samba 3 was the answer to my problems. I now finally got to use
Samba 3, but I felt lost regarding the way to obtain usable audit logs,
and so a bit disappointed.

As far as I can see, this is a fairly popular topic, so maybe it should be
documented in more detail, covering all doubts users seem to express on
the subject.
Anyway your new additions to the howto are already a good step forward, I
now have a clearer idea of what I should do.

-- 
Ciao,
  Marco.

..."Kid A", Radiohead 2000

> -------- Original Message --------
> Subject: [Samba] Re: VFS Extended Auditing Module Debug Information
> From: "Marco De Vitis" <starless@spin.it>
> Date: Mon, September 27, 2004 9:44 am
> To: samba@lists.samba.org
>
> Il 23/09/2004, alle ore 8:22, John H Terpstra ha scritto:
>
> > Given recent discussion on this list I have just updated the master
Samba-Docs
> > information regarding the Debug Class (Log Level) settings and the
audit
>
> Great, thanks!
>
> Anyway something is still not clear to me. I quote from the updated howto:
>
> > Logging can take place to the default log file (log.smbd) for all
loaded
> > VFS modules just be setting in the smb.conf file log level = 0 vfs:x,
> > where x is the log level. This will disable general logging while
> > activating all logging of VFS module activity at the log level
> > specified.
>
> Apart from "be" -> "by" (I suppose), does this mean
that a global log
Oops. I'll fix that typo.
> level of zero is NECESSARY for correct extd_audit logging? Or is it just a
> suggestion?
Suggestion to keep log noise level down.
>
> Also, this "vfs:x" parameter looks like a global VFS parameter.
Does this
> mean that any other VFS module which outputs debug information (I don't
> know if others exist) will be affected by it?
Correct. All VFS modules will be affected. The alternative is to modify
a VFS module so it will read the log level info and thereby affect 
just its own actions.
>
> > 	log level = 0 vfs:[012]
> > 	syslog = 0
> > ie:
> > 	log level = 0 vfs:0
> > or	log level = 0 vfs:1
> > or	log level = 0 vfs:2
> >
> > In this example, syslog information will be only critical general
samba
>
> I just tried these settings:
>
>         log file = /var/log/samba/%m.%U.log
>         syslog = 0
> 	log level = 0 vfs:2
> 	max log size = 0
>
> ...and restarted samba (3.0.7), but I still get lots of smbd_audit stuff
> in syslog, and ONLY in syslog (i.e. not in samba logfiles): open, close,
> opendir, rename, chmod...

I've had the same report from others. I'll look into this when I get
some time.
>
> > Despite recent criticism regarding the difficulty of establishing
acceptable
>
> I'm not critic regarding audit, I'm critic regarding docs about it.
;)
;)
>
> Let me explain: when using Samba 2.x I expressed on some mailing lists the
> desire for good auditing on file access, and I was told that the audit VFS
> module in Samba 3 was the answer to my problems. I now finally got to use
> Samba 3, but I felt lost regarding the way to obtain usable audit logs,
> and so a bit disappointed.
Understood. I just discovered that someone has been hacking on the
source code and has changed the way it works without updating the
documentation! Argh!
>
> As far as I can see, this is a fairly popular topic, so maybe it should be
> documented in more detail, covering all doubts users seem to express on
> the subject.
> Anyway your new additions to the howto are already a good step forward, I
> now have a clearer idea of what I should do.
OK. More to follow when I get some time to sort this out.

- John T.
>
> --
> Ciao,
>   Marco.
>
> ..."Kid A", Radiohead 2000
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba