Samba and AuditD
Alan Evangelista
alan.vitor at gmail.com
Wed Feb 10 23:57:28 UTC 2021
SG> The Linux kernel has no idea who the user is in the
Windows machine since they're not really logged in. This applies to all
remote files systems.
I thought that any filesystem operation requested by a user in Windows
would necessarily be executed by some user in Linux in the end (either a
generic user such as samba or, in my specific case, the Linux user which is
mapped to the MS Active Directory user by Centrify). After all, the
filesystem is managed by Linux. Is that assumption incorrect?
On Wed, Feb 10, 2021 at 6:26 PM Steve Grubb <sgrubb at redhat.com> wrote:
> Hello,
>
> Moderator system is acting up. But it'll go through eventually.
>
> On Wednesday, February 10, 2021 3:41:45 PM EST Alan Evangelista wrote:
> > I have installed audit 2.8.5 on a CentOS 7 and set up the following rule
> in
> > /etc/audit/rules.d/audit.rules:
> >
> > -w /data
> >
> > /data is shared via Samba to a Windows Server 2016 system. If I write to
> > /data in the CentOS7 system, I get the open syscall event in the auditd
> > log. If I write to the same directory in the Windows Server 2016, I see
> the
> > file in the /data directory in the CentOS7 system, but the event is not
> > logged by audit. Is that the expected behavior?
>
> Unfortunately, yes. The Linux kernel has no idea who the user is in the
> Windows machine since they're not really logged in. This applies to all
> remote files systems. They may yield a few events, but that is more by
> accident than design.
>
> -Steve
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20210210/5607a8ab/attachment.htm>
More information about the Linux-audit
mailing list