Bug 14891 - Samba auditing logs everything if unknown operation is used
Summary: Samba auditing logs everything if unknown operation is used
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: VFS Modules (show other bugs)
Version: 4.13.8
Hardware: All All
: P5 minor (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-02 12:19 UTC by Martin Rehak
Modified: 2021-11-02 12:19 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Rehak 2021-11-02 12:19:12 UTC 
In source3/modules/vfs_full_audit.c there is this code:

575   if (i == SMB_VFS_OP_LAST) {
576   DEBUG(0, ("Could not find opname %s, logging all\n",
577     *ops));
578   TALLOC_FREE(bm);
579   return NULL;
580   }

If it does not find the op in the list it will fall back to log everything.
The only way how to find out is to have enabled 'all' 'log level'. Otherwise
smbd will silently start logging everything and fill logs.

Could this be changed to something that will skip the operation, leave 
the message in the log (or dies), but will do its job as good as 
possible, please?