Hello,
Moderation system finally works. All messages / membership requests are
approved.
On Thursday, February 11, 2021 8:48:57 PM EST Alan Evangelista wrote:
AV> I thought that any filesystem operation requested by a user in
Windows
> would necessarily be executed by some user in Linux in the end (...)
> Is that assumption incorrect?
SG> Maybe. It depends on the implementation. If its all in the kernel, then
probably not.
AFAIK the Samba daemon in Linux just 1) listens to Windows file requests,
2) forwards them to the kernel via syscalls and 3) sends the file
operations return codes back to Windows. There is no user-space filesystem
implementation
as in FUSE.
SG> if you can strace the daemon and see it accessing the file system
with the sycalls you expect, then the kernel's audit engine can capture the
access but won't know who to attribute it to.
If I strace the Samba daemon processes, I see the open syscalls called when
I create dummy files in the Windows network drive that is mapped to the
Linux directory via Samba. I still don't understand why the kernel's audit
engine doesn't know who to attribute the access to. Doesn't it have access
to the files' owner Linux user ?
Since Samba is accessing the file, it sees Samba's loginuid. It pulls this
from the task struct when the open occurs. The loginuid is set by pam during
authentication. Since the Samba process is started by systemd, it doesn't go
through any kind of authentication and therefore has the default -1 loginuid.
The audit rules are generally written to avoid logging any daemon activity
since that is not as interesting. What users do is more interesting.
For instance, after creating two dummy files, I have this in the
Linux
directory served by Samba:
$ ls /data -lah
total 8.0K
drwxrwxrwx 2 root root 48 Feb 11 20:08 .
dr-xr-xr-x. 21 root root 4.0K Jan 27 10:32 ..
-rwxrwxr-x+ 1 aevangelista domainusers 0 Feb 11 20:07 alantest1.txt
-rw-r--r-- 1 aevangelista domainusers 0 Feb 11 20:08 alantest2.txt
Shouldn't auditd be able to see that aevangelista is the Linux user ID
related to the open syscall and log it ? Sorry if I'm missing something
obvious.
When it logs a PATH record, you will get the ownership and mode information
in that record. However, it is likely not triggering any rule because audit
rules that are shipped generally avoid daemons.
If your rule was:
-a always,exit -F dir=/data -F perm=wra -F key=Samba-access
Then you should get every read or write in the /data dirctory.
Best Regards,
-Steve