First, thanks for the feedback!
AV> I thought that any filesystem operation requested by a user in Windows
would necessarily be executed by some user in Linux in the end (...)
Is that assumption incorrect?
SG> Maybe. It depends on the implementation. If its all in the kernel, then
probably not.
AFAIK the Samba daemon in Linux just 1) listens to Windows file requests,
2) forwards them to the kernel via syscalls and 3) sends the file operations
return codes back to Windows. There is no user-space filesystem
implementation
as in FUSE.
SG> if you can strace the daemon and see it accessing the file system
with the sycalls you expect, then the kernel's audit engine can capture the
access but won't know who to attribute it to.
If I strace the Samba daemon processes, I see the open syscalls called when
I create dummy files in the Windows network drive that is mapped to the
Linux
directory via Samba. I still don't understand why the kernel's audit engine
doesn't
know who to attribute the access to. Doesn't it have access to the files'
owner
Linux user ?
For instance, after creating two dummy files, I have this in the Linux
directory
served by Samba:
$ ls /data -lah
total 8.0K
drwxrwxrwx 2 root root 48 Feb 11 20:08 .
dr-xr-xr-x. 21 root root 4.0K Jan 27 10:32 ..
-rwxrwxr-x+ 1 aevangelista domainusers 0 Feb 11 20:07 alantest1.txt
-rw-r--r-- 1 aevangelista domainusers 0 Feb 11 20:08 alantest2.txt
Shouldn't auditd be able to see that aevangelista is the Linux user ID
related to the open syscall and log it ? Sorry if I'm missing something
obvious.
Thanks again in advance!