On Wed, Jun 15, 2022 at 05:12:45PM +0100, Rowland Penny via samba wrote:>On Wed, 2022-06-15 at 17:26 +0200, Kees van Vloten via samba wrote: >> Hi Team, >> >> >> I have enabled full_audit logging on a (domain-member) file-server >> (running 4.15.7 from Louis on Bullseye) >> >> [global] >> log level = 3 >> full_audit:success = pwrite write rename > >There have been changes, try replacing 'rename' with 'renameat'. >I think what is happening is that because 'rename is now an error, it >is defaulting to 'all'.We should probably just log a debug message about the unknown name and then ignore the unknown name instead of going full "ALL" on the audit. Rowland, can you log a bug on this so we can track getting a fix. This problem keeps coming up and is a pain point for users. Thanks ! Jeremy.
On Wed, 2022-06-15 at 11:55 -0700, Jeremy Allison wrote:> On Wed, Jun 15, 2022 at 05:12:45PM +0100, Rowland Penny via samba > wrote: > > On Wed, 2022-06-15 at 17:26 +0200, Kees van Vloten via samba wrote: > > > Hi Team, > > > > > > > > > I have enabled full_audit logging on a (domain-member) file- > > > server > > > (running 4.15.7 from Louis on Bullseye) > > > > > > [global] > > > log level = 3 > > > full_audit:success = pwrite write rename > > > > There have been changes, try replacing 'rename' with 'renameat'. > > I think what is happening is that because 'rename is now an error, > > it > > is defaulting to 'all'. > > We should probably just log a debug message > about the unknown name and then ignore the > unknown name instead of going full "ALL" > on the audit. > > Rowland, can you log a bug on this so > we can track getting a fix. This problem keeps > coming up and is a pain point for users. > > Thanks ! > > Jeremy.Done, see: https://bugzilla.samba.org/show_bug.cgi?id=15098 Rowland
Op 15-06-2022 om 20:55 schreef Jeremy Allison via samba:> On Wed, Jun 15, 2022 at 05:12:45PM +0100, Rowland Penny via samba wrote: >> On Wed, 2022-06-15 at 17:26 +0200, Kees van Vloten via samba wrote: >>> Hi Team, >>> >>> >>> I have enabled full_audit logging on a (domain-member) file-server >>> (running 4.15.7 from Louis on Bullseye) >>> >>> [global] >>> ???????? log level = 3 >>> ???????? full_audit:success = pwrite write rename >> >> There have been changes, try replacing 'rename' with 'renameat'. >> I think what is happening is that because 'rename is now an error, it >> is defaulting to 'all'. > > We should probably just log a debug message > about the unknown name and then ignore the > unknown name instead of going full "ALL" > on the audit. > > Rowland, can you log a bug on this so > we can track getting a fix. This problem keeps > coming up and is a pain point for users. > > Thanks ! > > Jeremy. >That is indeed better, with the current behaviour the log filesystem went to 100% in pretty short time. If Rowland did not do it already I can create the bug as well. - Kees.
On 6/15/22 20:55, Jeremy Allison via samba wrote:> We should probably just log a debug message > about the unknown name and then ignore the > unknown name instead of going full "ALL" > on the audit.fwiw, as I've faced this issue before as well, my take is that we should fail the connect if the config has wrong VFS names in the audit config. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20220615/d4510b98/OpenPGP_signature.sig>