From 2f044ac92746a6a61cd084d1440feefcff25e1b4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 15 Apr 2021 13:52:38 +1200 Subject: [PATCH 1/6] debug: Synchronise "log level" in smb.conf with the code This is done by pasting in the contents of default_classname_table[] in lib/util/debug.c into cut -f 2 -d \"| xargs -i sh -c 'echo "\t{}"' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit 0d30d74e89829cc7b4faa6ba835e3d90c1c410aa) --- docs-xml/smbdotconf/logging/loglevel.xml | 33 +++++++++++++----------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml index 273765c6fbe..f185c22d649 100644 --- a/docs-xml/smbdotconf/logging/loglevel.xml +++ b/docs-xml/smbdotconf/logging/loglevel.xml @@ -24,8 +24,6 @@ printdrivers lanman smb - smb2 - smb2_credits rpc_parse rpc_srv rpc_cli @@ -41,19 +39,24 @@ msdfs dmapi registry - scavenger - dns - ldb - tevent - auth_audit - auth_json_audit - kerberos - dsdb_audit - dsdb_json_audit - dsdb_password_audit - dsdb_password_json_audit - dsdb_transaction_audit - dsdb_transaction_json_audit + scavenger + dns + ldb + tevent + auth_audit + auth_json_audit + kerberos + drs_repl + smb2 + smb2_credits + dsdb_audit + dsdb_json_audit + dsdb_password_audit + dsdb_password_json_audit + dsdb_transaction_audit + dsdb_transaction_json_audit + dsdb_group_audit + dsdb_group_json_audit To configure the logging for specific classes to go into a different -- 2.25.1 From d0a5550210ba47e3e7cd59a6abb59fe399e755d3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 15 Apr 2021 14:39:49 +1200 Subject: [PATCH 2/6] docs: Add missing documentation on dsdb_group_audit and dsdb_group_audit_json BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit 2e533664e756ccde8fc1b3e41e70437c9e7bafcd) --- docs-xml/smbdotconf/logging/loglevel.xml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml index f185c22d649..9bf8659cb92 100644 --- a/docs-xml/smbdotconf/logging/loglevel.xml +++ b/docs-xml/smbdotconf/logging/loglevel.xml @@ -87,6 +87,10 @@ under the dsdb_audit and a JSON representation is logged under dsdb_json_audit. + Group membership changes to the sam.ldb database are logged + under the dsdb_group_audit and a JSON representation is logged under + dsdb_group_json_audit. + Password changes and Password resets are logged under dsdb_password_audit and a JSON representation is logged under the dsdb_password_json_audit. -- 2.25.1 From a8b7c1753cf8a6f3ece58231d299af8a82595595 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 15 Apr 2021 14:44:22 +1200 Subject: [PATCH 3/6] docs: Add proper explination on why transactions need to be audited. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit a778a3a6420f094a953563b87f84457fdebd20a3) --- docs-xml/smbdotconf/logging/loglevel.xml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml index 9bf8659cb92..6480c575060 100644 --- a/docs-xml/smbdotconf/logging/loglevel.xml +++ b/docs-xml/smbdotconf/logging/loglevel.xml @@ -97,11 +97,24 @@ Transaction rollbacks and prepare commit failures are logged under the dsdb_transaction_audit and a JSON representation is logged under the - password_json_audit. Logging the transaction details allows the - identification of password and sam.ldb operations that have been rolled - back. + dsdb_transaction_json_audit. + Transaction roll-backs are possible in Samba, and whilst + they rarely reflect anything more than the failure of an + individual operation (say due to the add of a conflicting record), + they are possible. Audit logs are already generated and sent to + the system logs before the transaction is complete. Logging the + transaction details allows the identification of password and + sam.ldb operations that have + been rolled back, and so have not actually persisted. + Changes to sam.ldb made locally by the root user with direct access to the + database are not logged to the system logs, but to the + administrator's own console. While less than ideal, any user able + to make such modifications could disable the audit logging in any + case. 0 3 passdb:5 auth:10 winbind:2 -- 2.25.1 From 8fecc261a7cf08e2853d56455f6ae45913c484d0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 15 Apr 2021 14:45:07 +1200 Subject: [PATCH 4/6] docs: Further discourage the use of the "event notification" options BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit 364b8be9816b34b2a1b07c6259345c406d68c9f2) --- .../smbdotconf/logon/autheventnotification.xml | 17 ++++++++++------- .../smbdotconf/misc/dsdbeventnotification.xml | 14 +++++++++----- .../misc/dsdbgroupchangenotification.xml | 16 ++++++++++------ .../misc/dsdbpasswordeventnotification.xml | 16 ++++++++++------ 4 files changed, 39 insertions(+), 24 deletions(-) diff --git a/docs-xml/smbdotconf/logon/autheventnotification.xml b/docs-xml/smbdotconf/logon/autheventnotification.xml index 1ae2dbfb61a..87ccf02a8f4 100644 --- a/docs-xml/smbdotconf/logon/autheventnotification.xml +++ b/docs-xml/smbdotconf/logon/autheventnotification.xml @@ -10,16 +10,19 @@ registering as the service auth_event. - This should be considered a developer option (it assists - in the Samba testsuite) rather than a facility for external - auditing, as message delivery is not guaranteed (a feature - that the testsuite works around). Additionally Samba must be - compiled with the jansson support for this option to be - effective. + This is not needed for the audit + logging described in . + + Instead, this should instead be considered a developer + option (it assists in the Samba testsuite) rather than a + facility for external auditing, as message delivery is not + guaranteed (a feature that the testsuite works around). The authentication events are also logged via the normal logging methods when the is - set appropriately. + set appropriately, say to + auth_json_audit:3. + no diff --git a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml index 7df46e1d68c..279ac3d29ef 100644 --- a/docs-xml/smbdotconf/misc/dsdbeventnotification.xml +++ b/docs-xml/smbdotconf/misc/dsdbeventnotification.xml @@ -10,14 +10,18 @@ registering as the service dsdb_event. - This should be considered a developer option (it assists - in the Samba testsuite) rather than a facility for external - auditing, as message delivery is not guaranteed (a feature - that the testsuite works around). + This is not needed for the audit + logging described in . + + Instead, this should instead be considered a developer + option (it assists in the Samba testsuite) rather than a + facility for external auditing, as message delivery is not + guaranteed (a feature that the testsuite works around). The Samba database events are also logged via the normal logging methods when the is - set appropriately. + set appropriately, say to + dsdb_json_audit:5. diff --git a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml index 6354979538b..3972e72b60f 100644 --- a/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml +++ b/docs-xml/smbdotconf/misc/dsdbgroupchangenotification.xml @@ -10,14 +10,18 @@ registering as the service dsdb_group_event. - This should be considered a developer option (it assists - in the Samba testsuite) rather than a facility for external - auditing, as message delivery is not guaranteed (a feature - that the testsuite works around). + This is not needed for the audit + logging described in . - The group events are also logged via the normal + Instead, this should instead be considered a developer + option (it assists in the Samba testsuite) rather than a + facility for external auditing, as message delivery is not + guaranteed (a feature that the testsuite works around). + + The Samba database events are also logged via the normal logging methods when the is - set appropriately. + set appropriately, say to + dsdb_group_json_audit:5. diff --git a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml index 984321b98fc..cd2cc98ff42 100644 --- a/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml +++ b/docs-xml/smbdotconf/misc/dsdbpasswordeventnotification.xml @@ -10,14 +10,18 @@ events by registering as the service password_event. - This should be considered a developer option (it assists - in the Samba testsuite) rather than a facility for external - auditing, as message delivery is not guaranteed (a feature - that the testsuite works around). + This is not needed for the audit + logging described in . - The password events are also logged via the normal + Instead, this should instead be considered a developer + option (it assists in the Samba testsuite) rather than a + facility for external auditing, as message delivery is not + guaranteed (a feature that the testsuite works around). + + The Samba database events are also logged via the normal logging methods when the is - set appropriately. + set appropriately, say to + dsdb_password_json_audit:5. -- 2.25.1 From 21489130addfe0de61478663dcf5bd3cc98f4a18 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 15 Apr 2021 14:40:30 +1200 Subject: [PATCH 5/6] docs: underline special words in the audit logging part of "log level" in man smb.conf BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit d03e7ffcff32452bb92f2ced9f06cbeab9843e04) --- docs-xml/smbdotconf/logging/loglevel.xml | 30 ++++++++++++++---------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml index 6480c575060..6ee9cdceb87 100644 --- a/docs-xml/smbdotconf/logging/loglevel.xml +++ b/docs-xml/smbdotconf/logging/loglevel.xml @@ -65,9 +65,9 @@ full_audit:1@/var/log/audit.log. Authentication and authorization audit information is logged - under the auth_audit, and if Samba was not compiled with + under the auth_audit, and if Samba was not compiled with --without-json, a JSON representation is logged under - auth_json_audit. + auth_json_audit. Support is comprehensive for all authentication and authorisation of user accounts in the Samba Active Directory Domain Controller, @@ -75,7 +75,8 @@ the file server, NTLM authentication, SMB and RPC authorization is covered. - Log levels for auth_audit and auth_audit_json are: + Log levels for auth_audit and + auth_audit_json are: 2: Authentication Failure 3: Authentication Success @@ -83,21 +84,24 @@ 5: Anonymous Authentication and Authorization Success - Changes to the sam.ldb database are logged - under the dsdb_audit and a JSON representation is logged under - dsdb_json_audit. + Changes to the sam.ldb + database are logged under the dsdb_audit + and a JSON representation is logged under + dsdb_json_audit. - Group membership changes to the sam.ldb database are logged - under the dsdb_group_audit and a JSON representation is logged under - dsdb_group_json_audit. + Group membership changes to the sam.ldb database are logged under the + dsdb_group_audit and a JSON representation + is logged under + dsdb_group_json_audit. Password changes and Password resets are logged under - dsdb_password_audit and a JSON representation is logged under the - dsdb_password_json_audit. + dsdb_password_audit and a JSON representation is logged under the + dsdb_password_json_audit. Transaction rollbacks and prepare commit failures are logged under - the dsdb_transaction_audit and a JSON representation is logged under the - dsdb_transaction_json_audit. + the dsdb_transaction_audit and a JSON representation is logged under the + dsdb_transaction_json_audit. Transaction roll-backs are possible in Samba, and whilst they rarely reflect anything more than the failure of an -- 2.25.1 From 9541711cac3f54eeb1243175178a3527c86e0fb5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 16 Apr 2021 10:43:07 +1200 Subject: [PATCH 6/6] docs: Expand the "log level" docs on audit logging BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit 38fe888f95f8d22736080ed521939be932e7bca0) --- docs-xml/smbdotconf/logging/loglevel.xml | 38 ++++++++++++++++++++---- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml index 6ee9cdceb87..4c6bb5e7e73 100644 --- a/docs-xml/smbdotconf/logging/loglevel.xml +++ b/docs-xml/smbdotconf/logging/loglevel.xml @@ -84,25 +84,53 @@ 5: Anonymous Authentication and Authorization Success - Changes to the sam.ldb + Changes to the AD DC sam.ldb database are logged under the dsdb_audit and a JSON representation is logged under dsdb_json_audit. - Group membership changes to the Group membership changes to the AD DC sam.ldb database are logged under the dsdb_group_audit and a JSON representation is logged under dsdb_group_json_audit. - Password changes and Password resets are logged under - dsdb_password_audit and a JSON representation is logged under the - dsdb_password_json_audit. + Log levels for dsdb_audit, + dsdb_json_audit, + dsdb_group_audit, + dsdb_group_json_audit and + dsdb_json_audit are: + + 5: Database modifications + 5: Replicated updates from another DC + + + Password changes and Password resets in the AD DC are logged + under dsdb_password_audit and a JSON + representation is logged under the + dsdb_password_json_audit. Password changes + will also appears as authentication events via + auth_audit and + auth_audit_json. + + Log levels for dsdb_password_audit and + dsdb_password_json_audit are: + + 5: Successful password changes and resets + Transaction rollbacks and prepare commit failures are logged under the dsdb_transaction_audit and a JSON representation is logged under the dsdb_transaction_json_audit. + Log levels for dsdb_transaction_audit and + dsdb_transaction_json are: + + + 5: Transaction failure (rollback) + 10: Transaction success (commit) + + Transaction roll-backs are possible in Samba, and whilst they rarely reflect anything more than the failure of an individual operation (say due to the add of a conflicting record), -- 2.25.1