Bug #2870

Smbaudit doesn't show the name of the file for some operations

Added by Alessio Fattorini about 5 years ago. Updated about 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-samba-audit
Target version:v6.5
Security class: Resolution:
Affected version:v6.5-final NEEDINFO:No

Description

All actions of the "elimination" are registered but have no way of know which file was deleted.
Same thing for the renaming, I know only the name of the file renamed, but not the new name that has been assigned.
Moreover there are a lot of rows with a generic "other operation" action, which gives no information about the action indicated
See attachment for more info

Samba Audit.png (104 KB) Alessio Fattorini, 09/09/2014 06:53 AM

Associated revisions

Revision 7132b949
Added by Giacomo Sanchietti about 5 years ago

Log parser: handle special cases. Refs #2870

Revision 30b1c007
Added by Giacomo Sanchietti about 5 years ago

Log parser: fix rename action. Refs #2870

History

#1 Updated by Giacomo Sanchietti about 5 years ago

Please attach the log.

#2 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20
  • Affected version set to v6.5-final

Extract from /var/log/smbaudit.log:

Sep 11 12:30:42 localhost smbd[26698]: smbauditlog|2014/09/11 12:30:42|giacomo|192.168.5.22|test|giacomo|open|ok|r|COPYING
Sep 11 12:30:46 localhost smbd[26698]: smbauditlog|2014/09/11 12:30:46|giacomo|192.168.5.22|test|giacomo|open|ok|w|Corso_Linux_Base.pdf
Sep 11 12:30:51 localhost smbd[26698]: smbauditlog|2014/09/11 12:30:51|giacomo|192.168.5.22|test|giacomo|rename|ok|Corso_Linux_Base.pdf|aaa.pdf
Sep 11 12:30:58 localhost smbd[26698]: smbauditlog|2014/09/11 12:30:58|giacomo|192.168.5.22|test|giacomo|unlink|ok|COPYING

Extract from MySQL table:

[root@localhost ~]# mysql smbaudit -e "select * from audit";
+----+---------------------+-------+--------------+---------+--------+--------+---------+
| id | when                | share | ip           | user    | op     | result | arg     |
+----+---------------------+-------+--------------+---------+--------+--------+---------+
|  1 | 2014-09-11 12:02:30 | test  | 192.168.5.22 | giacomo | open   | ok     | COPYING |
|  2 | 2014-09-11 12:02:51 | test  | 192.168.5.22 | giacomo | unlink | ok     | NULL    |
+----+---------------------+-------+--------------+---------+--------+--------+---------+

Not all parameters are reported inside the MySQL table: the bug is confirmed.

#3 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 30 to 60

#5 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-samba-audit-1.0.3-1.0git7132b949.ns6.noarch.rpm
  • nethserver-samba-audit-1.0.3-2.0git30b1c007.ns6.noarch.rpm
Test case
  • Check the bug is not reproducible
  • Check the system correctly displays read and write operations
  • Check the system correctly displays rename operations

#6 Updated by Davide Principi about 5 years ago

  • Assignee set to Davide Principi

#7 Updated by Davide Principi about 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED
nethserver-samba-audit-1.0.3-2.0git30b1c007.ns6.noarch.rpm fixes the problem

#8 Updated by Davide Principi about 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-samba-audit-1.0.4-1.ns6.noarch.rpm

Also available in: Atom PDF