Samba and AuditD

Steve Grubb sgrubb at redhat.com
Tue Feb 16 18:35:11 UTC 2021 

Hello,

Moderation system finally works. All messages / membership requests are 
approved.

On Thursday, February 11, 2021 8:48:57 PM EST Alan Evangelista wrote:
> AV> I thought that any filesystem operation requested by a user in Windows
> 
>     > would necessarily be executed by some user in Linux in the end (...)
>     > Is that assumption incorrect?
> 
> SG> Maybe. It depends on the implementation. If its all in the kernel, then
> probably not.
> 
> AFAIK the Samba daemon in Linux just 1) listens to Windows file requests,
> 2) forwards them to the kernel via syscalls and 3) sends the file
> operations return codes back to Windows. There is no user-space filesystem
> implementation
> as in FUSE.
> 
> SG> if you can strace the daemon and see it accessing the file system
> with the sycalls you expect, then the kernel's audit engine can capture the
> access but won't know who to attribute it to.
> 
> If I strace the Samba daemon processes, I see the open syscalls called when
> I create dummy files in the Windows network drive that is mapped to the
> Linux directory via Samba. I still don't understand why the kernel's audit
> engine doesn't know who to attribute the access to. Doesn't it have access
> to the files' owner Linux user ?

Since Samba is accessing the file, it sees Samba's loginuid. It pulls this 
from the task struct when the open occurs. The loginuid is set by pam during 
authentication. Since the Samba process is started by systemd, it doesn't go 
through any kind of authentication and therefore has the default -1 loginuid. 
The audit rules are generally written to avoid logging any daemon activity 
since that is not as interesting. What users do is more interesting.

> For instance, after creating two dummy files, I have this in the Linux
> directory served by Samba:
> 
> $ ls /data -lah
> total 8.0K
> drwxrwxrwx   2 root         root          48 Feb 11 20:08 .
> dr-xr-xr-x. 21 root         root        4.0K Jan 27 10:32 ..
> -rwxrwxr-x+  1 aevangelista domainusers    0 Feb 11 20:07 alantest1.txt
> -rw-r--r--   1 aevangelista domainusers    0 Feb 11 20:08 alantest2.txt
> 
> Shouldn't auditd be able to see that aevangelista is the Linux user ID
> related to the open syscall and log it ? Sorry if I'm missing something
> obvious.

When it logs a PATH record, you will get the ownership and mode information 
in that record. However, it is likely not triggering any rule because audit 
rules that are shipped generally avoid daemons.

If your rule was:
-a always,exit -F dir=/data -F perm=wra -F key=Samba-access

Then you should get every read or write in the /data dirctory.

Best Regards,
-Steve

More information about the Linux-audit mailing list