enterprise-support team mailing list archive

Thread
Date

[Bug 1950803] [NEW] Samba vfs_full_audit reports everything

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Paul Rensing <1950803@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Nov 2021 16:24:51 -0000
Reply-to: Bug 1950803 <1950803@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

We have Samba file sharing set up to log a number of operations using
the VFS full audit capability. This is in hopes of stopping ransomware.
See for example https://github.com/roblio/ransom2ban.

The configuration in smb.conf contains this:
   # Anti-ransomware full audit to /var/log/ransom2ban/samba_audit.log
   full_audit:failure = none
   full_audit:success = pwrite pwrite_send pwrite_recv write rename unlink mkdir
   full_audit:prefix = IP=%I|USER=%u|SHARE=%S
   full_audit:facility = local5
   full_audit:priority = debug
   vfs objects = full_audit

Before the update to 4.13.14+dfsg-0ubuntu0.20.04.1, this worked fine.
With the update, the logging has gone through the roof, and appears to
be logging *all* operations, independent of the settings. For instance,
it logs "listxattr" despite it being not listed. I also tried adding
"!listxattr" to the "success" list, but no change.

Note that our CentOS machine just got 4.13 as well, and does not have
this problem.

Maybe this is a testing parameter that was accidentally left in the
build??

----------------
# lsb_release -rd
Description:	Ubuntu 20.04.3 LTS
Release:	20.04

# dpkg-query -W samba\*
samba	2:4.13.14+dfsg-0ubuntu0.20.04.1
samba-common	2:4.13.14+dfsg-0ubuntu0.20.04.1
samba-common-bin	2:4.13.14+dfsg-0ubuntu0.20.04.1
samba-dsdb-modules:amd64	2:4.13.14+dfsg-0ubuntu0.20.04.1
samba-libs:amd64	2:4.13.14+dfsg-0ubuntu0.20.04.1
samba-testsuite	
samba-vfs-modules:amd64	2:4.13.14+dfsg-0ubuntu0.20.04.1

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: audit vfs

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1950803

Title:
  Samba vfs_full_audit reports everything

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1950803/+subscriptions

Follow ups

[Bug 1950803] Re: Samba vfs_full_audit reports everything
From: Paul Rensing, 2021-11-15