Samba and AuditD
Steve Grubb
sgrubb at redhat.com
Tue Feb 16 18:35:11 UTC 2021
Hello,
Moderation system finally works. All messages / membership requests are
approved.
On Thursday, February 11, 2021 8:48:57 PM EST Alan Evangelista wrote:
> AV> I thought that any filesystem operation requested by a user in Windows
>
> > would necessarily be executed by some user in Linux in the end (...)
> > Is that assumption incorrect?
>
> SG> Maybe. It depends on the implementation. If its all in the kernel, then
> probably not.
>
> AFAIK the Samba daemon in Linux just 1) listens to Windows file requests,
> 2) forwards them to the kernel via syscalls and 3) sends the file
> operations return codes back to Windows. There is no user-space filesystem
> implementation
> as in FUSE.
>
> SG> if you can strace the daemon and see it accessing the file system
> with the sycalls you expect, then the kernel's audit engine can capture the
> access but won't know who to attribute it to.
>
> If I strace the Samba daemon processes, I see the open syscalls called when
> I create dummy files in the Windows network drive that is mapped to the
> Linux directory via Samba. I still don't understand why the kernel's audit
> engine doesn't know who to attribute the access to. Doesn't it have access
> to the files' owner Linux user ?
Since Samba is accessing the file, it sees Samba's loginuid. It pulls this
from the task struct when the open occurs. The loginuid is set by pam during
authentication. Since the Samba process is started by systemd, it doesn't go
through any kind of authentication and therefore has the default -1 loginuid.
The audit rules are generally written to avoid logging any daemon activity
since that is not as interesting. What users do is more interesting.
> For instance, after creating two dummy files, I have this in the Linux
> directory served by Samba:
>
> $ ls /data -lah
> total 8.0K
> drwxrwxrwx 2 root root 48 Feb 11 20:08 .
> dr-xr-xr-x. 21 root root 4.0K Jan 27 10:32 ..
> -rwxrwxr-x+ 1 aevangelista domainusers 0 Feb 11 20:07 alantest1.txt
> -rw-r--r-- 1 aevangelista domainusers 0 Feb 11 20:08 alantest2.txt
>
> Shouldn't auditd be able to see that aevangelista is the Linux user ID
> related to the open syscall and log it ? Sorry if I'm missing something
> obvious.
When it logs a PATH record, you will get the ownership and mode information
in that record. However, it is likely not triggering any rule because audit
rules that are shipped generally avoid daemons.
If your rule was:
-a always,exit -F dir=/data -F perm=wra -F key=Samba-access
Then you should get every read or write in the /data dirctory.
Best Regards,
-Steve
More information about the Linux-audit
mailing list