On 12/10/2021 10:55, Rowland Penny via samba wrote:> > By no means can you describe a PDC as a simple file server :-D >Sorry. ClearOS terminology :S>> >> >> [test] >> vfs objects = full_audit:audit > > Try it like this: > > vfs objects = full_audit auditHmm. That logs a single line: Oct 12 11:06:50 microserver smbd_audit[18821]: connect to service test by user test1 It I do the edits I described I get a lot more when opening, creating and deleting files: Oct 12 11:17:48 microserver smbd_audit: test1|stat|fail (No such file or directory)|/var/flexshare/shares/test/subdolder/New folder Oct 12 11:17:48 microserver smbd_audit: test1|stat|fail (No such file or directory)|/var/flexshare/shares/test/subdolder/New folder Oct 12 11:17:48 microserver smbd_audit: test1|opendir|ok|. Oct 12 11:17:48 microserver smbd_audit: test1|realpath|fail (No such file or directory)|subdolder/New folder Oct 12 11:17:48 microserver smbd_audit: test1|create_file|fail (No such file or directory)|0x100080|file|open|/var/flexshare/shares/test/subdolder/New folder Oct 12 11:17:48 microserver smbd_audit: test1|open|ok|r|/var/flexshare/shares/test/subdolder Oct 12 11:17:48 microserver smbd_audit: test1|open|ok|r|/var/flexshare/shares/test/subdolder Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/. Oct 12 11:17:48 microserver smbd_audit: test1|getxattr|fail (No data available)|subdolder/..|user.DOSATTRIB Oct 12 11:17:48 microserver smbd_audit: test1|get_dos_attributes|fail (No data available)|/var/flexshare/shares/test/subdolder/.. Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (No data available)|/var/flexshare/shares/test/subdolder/.. Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/990 Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/njh Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/clearos.reg Oct 12 11:17:48 microserver smbd_audit: test1|open|ok|r|/var/flexshare/shares/test/subdolder Oct 12 11:17:48 microserver smbd_audit: test1|open|ok|r|/var/flexshare/shares/test/subdolder Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/. Oct 12 11:17:48 microserver smbd_audit: test1|getxattr|fail (No data available)|subdolder/..|user.DOSATTRIB Oct 12 11:17:48 microserver smbd_audit: test1|get_dos_attributes|fail (No data available)|/var/flexshare/shares/test/subdolder/.. Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (No data available)|/var/flexshare/shares/test/subdolder/.. Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/990 Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/njh Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/clearos.reg Oct 12 11:17:48 microserver smbd_audit: test1|open|ok|r|/var/flexshare/shares/test/subdolder Oct 12 11:17:48 microserver smbd_audit: test1|open|ok|r|/var/flexshare/shares/test/subdolder Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/. Oct 12 11:17:48 microserver smbd_audit: test1|getxattr|fail (No data available)|subdolder/..|user.DOSATTRIB Oct 12 11:17:48 microserver smbd_audit: test1|get_dos_attributes|fail (No data available)|/var/flexshare/shares/test/subdolder/.. Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (No data available)|/var/flexshare/shares/test/subdolder/.. Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/990 Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/njh Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder/clearos.reg Oct 12 11:17:48 microserver smbd_audit: test1|open|ok|r|/var/flexshare/shares/test Oct 12 11:17:48 microserver smbd_audit: test1|getxattr|fail (No data available)|.|user.DOSATTRIB Oct 12 11:17:48 microserver smbd_audit: test1|get_dos_attributes|fail (No data available)|/var/flexshare/shares/test Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (No data available)|/var/flexshare/shares/test Oct 12 11:17:48 microserver smbd_audit: test1|getxattr|fail (No data available)|..|user.DOSATTRIB Oct 12 11:17:48 microserver smbd_audit: test1|get_dos_attributes|fail (No data available)|/var/flexshare/shares/test/.. Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (No data available)|/var/flexshare/shares/test/.. Oct 12 11:17:48 microserver smbd_audit: test1|getxattr|fail (No data available)|990|user.DOSATTRIB Oct 12 11:17:48 microserver smbd_audit: test1|get_dos_attributes|fail (No data available)|/var/flexshare/shares/test/990 Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (No data available)|/var/flexshare/shares/test/990 Oct 12 11:17:48 microserver smbd_audit: test1|getxattr|fail (No data available)|logon.cmd|user.DOSATTRIB Oct 12 11:17:48 microserver smbd_audit: test1|get_dos_attributes|fail (No data available)|/var/flexshare/shares/test/logon.cmd Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (No data available)|/var/flexshare/shares/test/logon.cmd Oct 12 11:17:48 microserver smbd_audit: test1|getxattr|fail (No data available)|.trash|user.DOSATTRIB Oct 12 11:17:48 microserver smbd_audit: test1|get_dos_attributes|fail (No data available)|/var/flexshare/shares/test/.trash Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (No data available)|/var/flexshare/shares/test/.trash Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/subdolder Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail (Operation not supported)|/var/flexshare/shares/test/21 Nick
On 12/10/2021 11:21, Nick Howitt via samba wrote:> > > > On 12/10/2021 10:55, Rowland Penny via samba wrote: >> >> By no means can you describe a PDC as a simple file server :-D >> > Sorry. ClearOS terminology :S >>> >>> >>> [test] >>> ????????? vfs objects = full_audit:audit >> >> Try it like this: >> >> ??????????? vfs objects = full_audit audit > > Hmm. That logs a single line: > Oct 12 11:06:50 microserver smbd_audit[18821]: connect to service test > by user test1 > > It I do the edits I described I get a lot more when opening, creating > and deleting files: > > Oct 12 11:17:48 microserver smbd_audit: test1|stat|fail (No such file or > directory)|/var/flexshare/shares/test/subdolder/New folder > Oct 12 11:17:48 microserver smbd_audit: test1|stat|fail (No such file or > directory)|/var/flexshare/shares/test/subdolder/New folder<big snip>> Oct 12 11:17:48 microserver smbd_audit: test1|readdir_attr|fail > (Operation not supported)|/var/flexshare/shares/test/21 > > Nick >So paring down the config got the audit vfs to work, but the output does not seem to be much use for working out who did what. it looks like the output from the full_audit vfs is better as it logs users and so on but there is so much output. The man page at https://www.samba.org/samba/docs/current/man-html/vfs_full_audit.8.html shows what can be monitored, but what do I ideally need? The idea of enabling it is so a sysadmin can audit who added/deleted/changed what and when. So far I see I may want some or all of: open rename unlink get_alloc_size #not sure file_id_create realpath #not sure connectpath #not sure Also what I probably don't want is: !sys_acl_get_file !get_nt_acl !listxattr !readdir !telldir !kernel_flock !close !get_dos_attributes !getxattr !chdir !strict_lock_check !getwd But there are otherl like "stat" and so on. Does anyone have any documentation on what all these operations are? Also does anyone have any suggestions for a good set of operations to monitor? Nick