The Samba-Bugzilla – Attachment 16594 Details for
Bug 14689
documentation for dsdb_group_audit and dsdb_group_json_audit missing from "log level"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch backported to 4.13 and 4.14
samba-audit-logs.patch (text/plain), 21.55 KB, created by
Andrew Bartlett
on 2021-04-22 03:35:55 UTC
(
hide
)
Description:
patch backported to 4.13 and 4.14
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-04-22 03:35:55 UTC
Size:
21.55 KB
patch
obsolete
>From 2f044ac92746a6a61cd084d1440feefcff25e1b4 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 15 Apr 2021 13:52:38 +1200 >Subject: [PATCH 1/6] debug: Synchronise "log level" in smb.conf with the code > >This is done by pasting in the contents of default_classname_table[] >in lib/util/debug.c into >cut -f 2 -d \"| xargs -i sh -c 'echo "\t<listitem><para><parameter moreinfo=\"none\">{}</parameter></para></listitem>"' > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 0d30d74e89829cc7b4faa6ba835e3d90c1c410aa) >--- > docs-xml/smbdotconf/logging/loglevel.xml | 33 +++++++++++++----------- > 1 file changed, 18 insertions(+), 15 deletions(-) > >diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml >index 273765c6fbe..f185c22d649 100644 >--- a/docs-xml/smbdotconf/logging/loglevel.xml >+++ b/docs-xml/smbdotconf/logging/loglevel.xml >@@ -24,8 +24,6 @@ > <listitem><para><parameter moreinfo="none">printdrivers</parameter></para></listitem> > <listitem><para><parameter moreinfo="none">lanman</parameter></para></listitem> > <listitem><para><parameter moreinfo="none">smb</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">smb2</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">smb2_credits</parameter></para></listitem> > <listitem><para><parameter moreinfo="none">rpc_parse</parameter></para></listitem> > <listitem><para><parameter moreinfo="none">rpc_srv</parameter></para></listitem> > <listitem><para><parameter moreinfo="none">rpc_cli</parameter></para></listitem> >@@ -41,19 +39,24 @@ > <listitem><para><parameter moreinfo="none">msdfs</parameter></para></listitem> > <listitem><para><parameter moreinfo="none">dmapi</parameter></para></listitem> > <listitem><para><parameter moreinfo="none">registry</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">scavenger</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">dns</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">ldb</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">tevent</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">auth_audit</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">auth_json_audit</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">kerberos</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">dsdb_audit</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">dsdb_json_audit</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">dsdb_password_audit</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">dsdb_password_json_audit</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">dsdb_transaction_audit</parameter></para></listitem> >- <listitem><para><parameter moreinfo="none">dsdb_transaction_json_audit</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">scavenger</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">dns</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">ldb</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">tevent</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">auth_audit</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">auth_json_audit</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">kerberos</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">drs_repl</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">smb2</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">smb2_credits</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">dsdb_audit</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">dsdb_json_audit</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">dsdb_password_audit</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">dsdb_password_json_audit</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">dsdb_transaction_audit</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">dsdb_transaction_json_audit</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">dsdb_group_audit</parameter></para></listitem> >+ <listitem><para><parameter moreinfo="none">dsdb_group_json_audit</parameter></para></listitem> > </itemizedlist> > > <para>To configure the logging for specific classes to go into a different >-- >2.25.1 > > >From d0a5550210ba47e3e7cd59a6abb59fe399e755d3 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 15 Apr 2021 14:39:49 +1200 >Subject: [PATCH 2/6] docs: Add missing documentation on dsdb_group_audit and > dsdb_group_audit_json > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 2e533664e756ccde8fc1b3e41e70437c9e7bafcd) >--- > docs-xml/smbdotconf/logging/loglevel.xml | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml >index f185c22d649..9bf8659cb92 100644 >--- a/docs-xml/smbdotconf/logging/loglevel.xml >+++ b/docs-xml/smbdotconf/logging/loglevel.xml >@@ -87,6 +87,10 @@ > under the dsdb_audit and a JSON representation is logged under > dsdb_json_audit.</para> > >+ <para>Group membership changes to the sam.ldb database are logged >+ under the dsdb_group_audit and a JSON representation is logged under >+ dsdb_group_json_audit.</para> >+ > <para>Password changes and Password resets are logged under > dsdb_password_audit and a JSON representation is logged under the > dsdb_password_json_audit.</para> >-- >2.25.1 > > >From a8b7c1753cf8a6f3ece58231d299af8a82595595 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 15 Apr 2021 14:44:22 +1200 >Subject: [PATCH 3/6] docs: Add proper explination on why transactions need to > be audited. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit a778a3a6420f094a953563b87f84457fdebd20a3) >--- > docs-xml/smbdotconf/logging/loglevel.xml | 19 ++++++++++++++++--- > 1 file changed, 16 insertions(+), 3 deletions(-) > >diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml >index 9bf8659cb92..6480c575060 100644 >--- a/docs-xml/smbdotconf/logging/loglevel.xml >+++ b/docs-xml/smbdotconf/logging/loglevel.xml >@@ -97,11 +97,24 @@ > > <para>Transaction rollbacks and prepare commit failures are logged under > the dsdb_transaction_audit and a JSON representation is logged under the >- password_json_audit. Logging the transaction details allows the >- identification of password and sam.ldb operations that have been rolled >- back.</para> >+ dsdb_transaction_json_audit. </para> > >+ <para>Transaction roll-backs are possible in Samba, and whilst >+ they rarely reflect anything more than the failure of an >+ individual operation (say due to the add of a conflicting record), >+ they are possible. Audit logs are already generated and sent to >+ the system logs before the transaction is complete. Logging the >+ transaction details allows the identification of password and >+ <command moreinfo="none">sam.ldb</command> operations that have >+ been rolled back, and so have not actually persisted.</para> > >+ <warning><para> Changes to <command >+ moreinfo="none">sam.ldb</command> made locally by the <command >+ moreinfo="none">root</command> user with direct access to the >+ database are not logged to the system logs, but to the >+ administrator's own console. While less than ideal, any user able >+ to make such modifications could disable the audit logging in any >+ case. </para></warning> > </description> > <value type="default">0</value> > <value type="example">3 passdb:5 auth:10 winbind:2</value> >-- >2.25.1 > > >From 8fecc261a7cf08e2853d56455f6ae45913c484d0 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 15 Apr 2021 14:45:07 +1200 >Subject: [PATCH 4/6] docs: Further discourage the use of the "event > notification" options > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 364b8be9816b34b2a1b07c6259345c406d68c9f2) >--- > .../smbdotconf/logon/autheventnotification.xml | 17 ++++++++++------- > .../smbdotconf/misc/dsdbeventnotification.xml | 14 +++++++++----- > .../misc/dsdbgroupchangenotification.xml | 16 ++++++++++------ > .../misc/dsdbpasswordeventnotification.xml | 16 ++++++++++------ > 4 files changed, 39 insertions(+), 24 deletions(-) > >diff --git a/docs-xml/smbdotconf/logon/autheventnotification.xml b/docs-xml/smbdotconf/logon/autheventnotification.xml >index 1ae2dbfb61a..87ccf02a8f4 100644 >--- a/docs-xml/smbdotconf/logon/autheventnotification.xml >+++ b/docs-xml/smbdotconf/logon/autheventnotification.xml >@@ -10,16 +10,19 @@ > registering as the service > <filename moreinfo="none">auth_event</filename>.</para> > >- <para>This should be considered a developer option (it assists >- in the Samba testsuite) rather than a facility for external >- auditing, as message delivery is not guaranteed (a feature >- that the testsuite works around). Additionally Samba must be >- compiled with the jansson support for this option to be >- effective.</para> >+ <para>This is <emphasis>not</emphasis> needed for the audit >+ logging described in <smbconfoption name="log level"/>.</para> >+ >+ <para>Instead, this should instead be considered a developer >+ option (it assists in the Samba testsuite) rather than a >+ facility for external auditing, as message delivery is not >+ guaranteed (a feature that the testsuite works around).</para> > > <para>The authentication events are also logged via the normal > logging methods when the <smbconfoption name="log level"/> is >- set appropriately.</para> >+ set appropriately, say to >+ <command moreinfo="none">auth_json_audit:3</command>.</para> >+ > </description> > > <value type="default">no</value> >diff --git a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml >index 7df46e1d68c..279ac3d29ef 100644 >--- a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml >+++ b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml >@@ -10,14 +10,18 @@ > registering as the service > <filename moreinfo="none">dsdb_event</filename>.</para> > >- <para>This should be considered a developer option (it assists >- in the Samba testsuite) rather than a facility for external >- auditing, as message delivery is not guaranteed (a feature >- that the testsuite works around).</para> >+ <para>This is <emphasis>not</emphasis> needed for the audit >+ logging described in <smbconfoption name="log level"/>.</para> >+ >+ <para>Instead, this should instead be considered a developer >+ option (it assists in the Samba testsuite) rather than a >+ facility for external auditing, as message delivery is not >+ guaranteed (a feature that the testsuite works around).</para> > > <para>The Samba database events are also logged via the normal > logging methods when the <smbconfoption name="log level"/> is >- set appropriately.</para> >+ set appropriately, say to >+ <command moreinfo="none">dsdb_json_audit:5</command>.</para> > > </description> > >diff --git a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml >index 6354979538b..3972e72b60f 100644 >--- a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml >+++ b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml >@@ -10,14 +10,18 @@ > registering as the service > <filename moreinfo="none">dsdb_group_event</filename>.</para> > >- <para>This should be considered a developer option (it assists >- in the Samba testsuite) rather than a facility for external >- auditing, as message delivery is not guaranteed (a feature >- that the testsuite works around).</para> >+ <para>This is <emphasis>not</emphasis> needed for the audit >+ logging described in <smbconfoption name="log level"/>.</para> > >- <para>The group events are also logged via the normal >+ <para>Instead, this should instead be considered a developer >+ option (it assists in the Samba testsuite) rather than a >+ facility for external auditing, as message delivery is not >+ guaranteed (a feature that the testsuite works around).</para> >+ >+ <para>The Samba database events are also logged via the normal > logging methods when the <smbconfoption name="log level"/> is >- set appropriately.</para> >+ set appropriately, say to >+ <command moreinfo="none">dsdb_group_json_audit:5</command>.</para> > > </description> > >diff --git a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml >index 984321b98fc..cd2cc98ff42 100644 >--- a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml >+++ b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml >@@ -10,14 +10,18 @@ > events by registering as the service > <filename moreinfo="none">password_event</filename>.</para> > >- <para>This should be considered a developer option (it assists >- in the Samba testsuite) rather than a facility for external >- auditing, as message delivery is not guaranteed (a feature >- that the testsuite works around).</para> >+ <para>This is <emphasis>not</emphasis> needed for the audit >+ logging described in <smbconfoption name="log level"/>.</para> > >- <para>The password events are also logged via the normal >+ <para>Instead, this should instead be considered a developer >+ option (it assists in the Samba testsuite) rather than a >+ facility for external auditing, as message delivery is not >+ guaranteed (a feature that the testsuite works around).</para> >+ >+ <para>The Samba database events are also logged via the normal > logging methods when the <smbconfoption name="log level"/> is >- set appropriately.</para> >+ set appropriately, say to >+ <command moreinfo="none">dsdb_password_json_audit:5</command>.</para> > > </description> > >-- >2.25.1 > > >From 21489130addfe0de61478663dcf5bd3cc98f4a18 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 15 Apr 2021 14:40:30 +1200 >Subject: [PATCH 5/6] docs: underline special words in the audit logging part > of "log level" in man smb.conf > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit d03e7ffcff32452bb92f2ced9f06cbeab9843e04) >--- > docs-xml/smbdotconf/logging/loglevel.xml | 30 ++++++++++++++---------- > 1 file changed, 17 insertions(+), 13 deletions(-) > >diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml >index 6480c575060..6ee9cdceb87 100644 >--- a/docs-xml/smbdotconf/logging/loglevel.xml >+++ b/docs-xml/smbdotconf/logging/loglevel.xml >@@ -65,9 +65,9 @@ > full_audit:1@/var/log/audit.log</parameter>.</para> > > <para>Authentication and authorization audit information is logged >- under the auth_audit, and if Samba was not compiled with >+ under the <parameter>auth_audit</parameter>, and if Samba was not compiled with > --without-json, a JSON representation is logged under >- auth_json_audit.</para> >+ <parameter>auth_json_audit</parameter>.</para> > > <para>Support is comprehensive for all authentication and authorisation > of user accounts in the Samba Active Directory Domain Controller, >@@ -75,7 +75,8 @@ > the file server, NTLM authentication, SMB and RPC authorization is > covered.</para> > >- <para>Log levels for auth_audit and auth_audit_json are:</para> >+ <para>Log levels for <parameter>auth_audit</parameter> and >+ <parameter>auth_audit_json</parameter> are:</para> > <itemizedlist> > <listitem><para>2: Authentication Failure</para></listitem> > <listitem><para>3: Authentication Success</para></listitem> >@@ -83,21 +84,24 @@ > <listitem><para>5: Anonymous Authentication and Authorization Success</para></listitem> > </itemizedlist> > >- <para>Changes to the sam.ldb database are logged >- under the dsdb_audit and a JSON representation is logged under >- dsdb_json_audit.</para> >+ <para>Changes to the <command moreinfo="none">sam.ldb</command> >+ database are logged under the <parameter>dsdb_audit</parameter> >+ and a JSON representation is logged under >+ <parameter>dsdb_json_audit</parameter>.</para> > >- <para>Group membership changes to the sam.ldb database are logged >- under the dsdb_group_audit and a JSON representation is logged under >- dsdb_group_json_audit.</para> >+ <para>Group membership changes to the <command >+ moreinfo="none">sam.ldb</command> database are logged under the >+ <parameter>dsdb_group_audit</parameter> and a JSON representation >+ is logged under >+ <parameter>dsdb_group_json_audit</parameter>.</para> > > <para>Password changes and Password resets are logged under >- dsdb_password_audit and a JSON representation is logged under the >- dsdb_password_json_audit.</para> >+ <parameter>dsdb_password_audit</parameter> and a JSON representation is logged under the >+ <parameter>dsdb_password_json_audit</parameter>.</para> > > <para>Transaction rollbacks and prepare commit failures are logged under >- the dsdb_transaction_audit and a JSON representation is logged under the >- dsdb_transaction_json_audit. </para> >+ the <parameter>dsdb_transaction_audit</parameter> and a JSON representation is logged under the >+ <parameter>dsdb_transaction_json_audit</parameter>. </para> > > <para>Transaction roll-backs are possible in Samba, and whilst > they rarely reflect anything more than the failure of an >-- >2.25.1 > > >From 9541711cac3f54eeb1243175178a3527c86e0fb5 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 16 Apr 2021 10:43:07 +1200 >Subject: [PATCH 6/6] docs: Expand the "log level" docs on audit logging > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 38fe888f95f8d22736080ed521939be932e7bca0) >--- > docs-xml/smbdotconf/logging/loglevel.xml | 38 ++++++++++++++++++++---- > 1 file changed, 33 insertions(+), 5 deletions(-) > >diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml >index 6ee9cdceb87..4c6bb5e7e73 100644 >--- a/docs-xml/smbdotconf/logging/loglevel.xml >+++ b/docs-xml/smbdotconf/logging/loglevel.xml >@@ -84,25 +84,53 @@ > <listitem><para>5: Anonymous Authentication and Authorization Success</para></listitem> > </itemizedlist> > >- <para>Changes to the <command moreinfo="none">sam.ldb</command> >+ <para>Changes to the AD DC <command moreinfo="none">sam.ldb</command> > database are logged under the <parameter>dsdb_audit</parameter> > and a JSON representation is logged under > <parameter>dsdb_json_audit</parameter>.</para> > >- <para>Group membership changes to the <command >+ <para>Group membership changes to the AD DC <command > moreinfo="none">sam.ldb</command> database are logged under the > <parameter>dsdb_group_audit</parameter> and a JSON representation > is logged under > <parameter>dsdb_group_json_audit</parameter>.</para> > >- <para>Password changes and Password resets are logged under >- <parameter>dsdb_password_audit</parameter> and a JSON representation is logged under the >- <parameter>dsdb_password_json_audit</parameter>.</para> >+ <para>Log levels for <parameter>dsdb_audit</parameter>, >+ <parameter>dsdb_json_audit</parameter>, >+ <parameter>dsdb_group_audit</parameter>, >+ <parameter>dsdb_group_json_audit</parameter> and >+ <parameter>dsdb_json_audit</parameter> are:</para> >+ <itemizedlist> >+ <listitem><para>5: Database modifications</para></listitem> >+ <listitem><para>5: Replicated updates from another DC</para></listitem> >+ </itemizedlist> >+ >+ <para>Password changes and Password resets in the AD DC are logged >+ under <parameter>dsdb_password_audit</parameter> and a JSON >+ representation is logged under the >+ <parameter>dsdb_password_json_audit</parameter>. Password changes >+ will also appears as authentication events via >+ <parameter>auth_audit</parameter> and >+ <parameter>auth_audit_json</parameter>.</para> >+ >+ <para>Log levels for <parameter>dsdb_password_audit</parameter> and >+ <parameter>dsdb_password_json_audit</parameter> are:</para> >+ <itemizedlist> >+ <listitem><para>5: Successful password changes and resets</para></listitem> >+ </itemizedlist> > > <para>Transaction rollbacks and prepare commit failures are logged under > the <parameter>dsdb_transaction_audit</parameter> and a JSON representation is logged under the > <parameter>dsdb_transaction_json_audit</parameter>. </para> > >+ <para>Log levels for <parameter>dsdb_transaction_audit</parameter> and >+ <parameter>dsdb_transaction_json</parameter> are:</para> >+ >+ <itemizedlist> >+ <listitem><para>5: Transaction failure (rollback)</para></listitem> >+ <listitem><para>10: Transaction success (commit)</para></listitem> >+ </itemizedlist> >+ > <para>Transaction roll-backs are possible in Samba, and whilst > they rarely reflect anything more than the failure of an > individual operation (say due to the add of a conflicting record), >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
dbagnall
:
review+
Actions:
View
Attachments on
bug 14689
: 16594