From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com, Alan Evangelista <alan.vitor@gmail.com>
Subject: Re: Samba and AuditD
Date: Wed, 10 Feb 2021 16:26:39 -0500 [thread overview]
Message-ID: <2316118.jE0xQCEvom@x2> (raw)
In-Reply-To: <CAKz+TUvuOh849j=CaM=OjH1dwbr0bocM6_gdGO-i-wA2-bkr5g@mail.gmail.com>
Hello,
Moderator system is acting up. But it'll go through eventually.
On Wednesday, February 10, 2021 3:41:45 PM EST Alan Evangelista wrote:
> I have installed audit 2.8.5 on a CentOS 7 and set up the following rule in
> /etc/audit/rules.d/audit.rules:
>
> -w /data
>
> /data is shared via Samba to a Windows Server 2016 system. If I write to
> /data in the CentOS7 system, I get the open syscall event in the auditd
> log. If I write to the same directory in the Windows Server 2016, I see the
> file in the /data directory in the CentOS7 system, but the event is not
> logged by audit. Is that the expected behavior?
Unfortunately, yes. The Linux kernel has no idea who the user is in the
Windows machine since they're not really logged in. This applies to all
remote files systems. They may yield a few events, but that is more by
accident than design.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next parent reply other threads:[~2021-02-10 21:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAKz+TUvuOh849j=CaM=OjH1dwbr0bocM6_gdGO-i-wA2-bkr5g@mail.gmail.com>
2021-02-10 21:26 ` Steve Grubb [this message]
[not found] ` <CAKz+TUt3ECMNcbbUziVfeCuhy42R19Z+bi8R+Pj38Lee=pZhUA@mail.gmail.com>
2021-02-11 22:14 ` Samba and AuditD Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2316118.jE0xQCEvom@x2 \
--to=sgrubb@redhat.com \
--cc=alan.vitor@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox