redhat 7.2 with samba 4.2.3 full audit

Posted on

I am having problem where the samba audit is getting/recording too much info and some times it duplicates.

Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_nt_acl|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_alloc_size|ok|0
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|kernel_flock|ok|SOA3616.tmp
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|realpath|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|connectpath|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|file_id_create|ok|fd03:83:0
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_nt_acl|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_nt_acl|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|file_id_create|ok|fd03:83:0
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|create_file|ok|0x100080|file|open|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|stat|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|sys_acl_get_file|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_nt_acl|ok|.
Feb 3 11:58:43 server smbd_audit: nasaudit|MYDOMAIN\abar|192.168.1.168|it02|get_alloc_size|ok|0

I have update the samba conf to reduce the info it records but it dose not seem to work.

My samba conf - details entered relating to samba audit as follow

[global]
.
.
syslog = 0
log file = /var/log/samba/%m
Log level = 0 vfs:0
max log size = 0

[admin]
Comment = General Global Share
path = /shares/admin
browsable = yes
writeable = yes
read only = no

    vfs objects = full_audit
    full_audit:prefix = nasaudit|%u|%I|%m
    full_audit:success = mkdir rmdir pwrite ulink rename
    full_audit:failure = mkdir rmdir pwrite ulink rename

nt acl support = yes

inherit acls = yes

inherit owner = yes

inherit permissions = yes

map acl inherit = yes

store dos attributes = Yes

    guest ok  = no
    create mask = 0777
    directory mask =0777
    users = @"Domain Users","@Domain Admins"

mkdir rmdir pwrite ulink rename

ab
Log in to join the conversation
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.