Project

General

Profile

Actions
Copy link

Feature #11037

closed

SMB File access audit logging (reserve IDs)

Added by Gordon Ross over 4 years ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Gordon Ross
Category:
-
Start date:
2019-05-15
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
fs_auditing
Gerrit CR:
External Bug:

Description

Customers want to be able to audit file access over SMB.

Access log entries should contain information including:
Who (User ID and/or SID, and client IP when remote),
When, Where (directory+file), What (action: READ/WRITE, ...)

Control over audit logging should (ideally) use the "System
Access Control List" (SACL), which is the part of the ACL that
contains "Audit" Access Control Entries (ACEs). An Audit ACE
has flags that allow for auditing only failed access (logging all
attempts to access something where the specified access was
not allowed) or successful access (logging every instance where
someone opened a file with the specified access) or both.

Enabling auditing does have some cost, so we'll probably want
some or all of the following audit controls:
a: system-wide enable, that causes the C2 audit daemon to run.
b: per-share or per data set (TBD) audit enable flag
(It may be that the presence of a SACL in any data set is a
sufficient configuration control for "b". This is also how
Windows handles auditing: global enable, then SACLs).

Steps to Reproduce:
a: Enable auditing at the system level. (interface TBD)
b: Set a SACL on all directories and files in some hierarchy,
where some SACLs have an "Audit Success" ACE with
access mask "read+write".
c: Set a SACL on all directories nad files in some other
hierarchy where some SACLs have an "Audit Failure" ACE
with access mask "read".
d: Read and modify the files created in "b".
e: Attempt to read the files creded in "c".

Expected Results:
Step "d" should produce logged successful access,
including Who, What, When, etc.
Step "e" should produce logged failed access,
including Who, What, When, etc.

Actual Results:
No access logs.

Related issues

Related to illumos gate - Feature #11874: NFS file access audit loggingIn ProgressMatt Barden

Actions
Related to illumos gate - Bug #11842: Want audit events for auditon(A_SETPMASK) and friendsClosedAlex Wilson

Actions
Related to illumos gate - Bug #11873: SMB file access audit loggingIn ProgressMatt Barden

Actions
Related to illumos gate - Feature #11875: ZFS changes for file access auditingNewMatt Barden

Actions
Actions
Copy link
 #1

Updated by Gordon Ross over 4 years ago

  • Description updated (diff)
  • Status changed from New to In Progress

Questions have come up about how to configure SMB auditing.

The best answer for "How can customers select what is subject to audit?" is to edit the security properties from a windows client. To do that (as usual) they should right click on a directory in Windows Explorer, select the security tab, then add an "audit success" or "audit failure" ACE to the "system ACL". Typically that ACE should be inherited (shown as "applies to: this folder, sub-folders, and files").
Note that one must be authenticated as a user with administrative privileges to examine or modify the system ACL.
(The "system ACL" is a protected part of the ACL.)

Here's a link to an MS doc describing the above:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder

The good news about this approach is that the only configuration item we need to handle on the server side is the system-wide "enable auditing" control.

Actions
Copy link
 #2

Updated by Gordon Ross almost 4 years ago

  • Subject changed from SMB File access audit logging to SMB File access audit logging (reserve IDs)
Actions
Copy link
 #3

Updated by Gordon Ross almost 4 years ago

In order to avoid conflicts over ID assignment in the auditing code, We had to split 11037 into two parts:
11037 SMB File access audit logging (reserve IDs)
#11873 SMB File access audit logging (remainder)

See #11873 for additional information.

Actions
Copy link
 #4

Updated by Electric Monk almost 4 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit b5c366f4aa9361f18dccd4d00380b3e2e36be40c

commit  b5c366f4aa9361f18dccd4d00380b3e2e36be40c
Author: Matt Barden <matt.barden@nexenta.com>
Date:   2019-10-25T14:36:03.000Z

    11037 SMB File access audit logging (reserve IDs)
    Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
    Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
    Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
    Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
    Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
    Reviewed by: John Levon <john.levon@joyent.com>

Actions
Copy link
 #5

Updated by Gordon Ross almost 4 years ago

I forgot to add the "Approved by: ..." line before I pushed.
Approved by: Garrett D'Amore <>
https://illumos.topicbox.com/groups/advocates/T048910cea52e09b6-Ma86bbc7f5142f176671edc06

Actions
Copy link
 #6

Updated by Joshua M. Clulow over 1 year ago

Actions
Copy link
 #7

Updated by Gordon Ross 8 months ago

  • Related to Bug #11842: Want audit events for auditon(A_SETPMASK) and friends added
Actions
Copy link
 #8

Updated by Gordon Ross 8 months ago

  • Related to Bug #11873: SMB file access audit logging added
Actions
Copy link
 #9

Updated by Gordon Ross 8 months ago

  • Related to Feature #11875: ZFS changes for file access auditing added
Actions
Copy link
 #10

Updated by Gordon Ross 4 months ago

  • Tags changed from needs-triage to fs_auditing
Actions
Copy link

Also available in: Atom PDF