Project

General

Profile

Feature #11037

SMB File access audit logging (reserve IDs)

Added by Gordon Ross about 1 year ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
2019-05-15
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

Customers want to be able to audit file access over SMB.

Access log entries should contain information including:
Who (User ID and/or SID, and client IP when remote),
When, Where (directory+file), What (action: READ/WRITE, ...)

Control over audit logging should (ideally) use the "System
Access Control List" (SACL), which is the part of the ACL that
contains "Audit" Access Control Entries (ACEs). An Audit ACE
has flags that allow for auditing only failed access (logging all
attempts to access something where the specified access was
not allowed) or successful access (logging every instance where
someone opened a file with the specified access) or both.

Enabling auditing does have some cost, so we'll probably want
some or all of the following audit controls:
a: system-wide enable, that causes the C2 audit daemon to run.
b: per-share or per data set (TBD) audit enable flag
(It may be that the presence of a SACL in any data set is a
sufficient configuration control for "b". This is also how
Windows handles auditing: global enable, then SACLs).

Steps to Reproduce:
a: Enable auditing at the system level. (interface TBD)
b: Set a SACL on all directories and files in some hierarchy,
where some SACLs have an "Audit Success" ACE with
access mask "read+write".
c: Set a SACL on all directories nad files in some other
hierarchy where some SACLs have an "Audit Failure" ACE
with access mask "read".
d: Read and modify the files created in "b".
e: Attempt to read the files creded in "c".

Expected Results:
Step "d" should produce logged successful access,
including Who, What, When, etc.
Step "e" should produce logged failed access,
including Who, What, When, etc.

Actual Results:
No access logs.

History

#1

Updated by Gordon Ross about 1 year ago

  • Description updated (diff)
  • Status changed from New to In Progress

Questions have come up about how to configure SMB auditing.

The best answer for "How can customers select what is subject to audit?" is to edit the security properties from a windows client. To do that (as usual) they should right click on a directory in Windows Explorer, select the security tab, then add an "audit success" or "audit failure" ACE to the "system ACL". Typically that ACE should be inherited (shown as "applies to: this folder, sub-folders, and files").
Note that one must be authenticated as a user with administrative privileges to examine or modify the system ACL.
(The "system ACL" is a protected part of the ACL.)

Here's a link to an MS doc describing the above:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder

The good news about this approach is that the only configuration item we need to handle on the server side is the system-wide "enable auditing" control.

#2

Updated by Gordon Ross 7 months ago

  • Subject changed from SMB File access audit logging to SMB File access audit logging (reserve IDs)
#3

Updated by Gordon Ross 7 months ago

In order to avoid conflicts over ID assignment in the auditing code, We had to split 11037 into two parts:
11037 SMB File access audit logging (reserve IDs)
#11873 SMB File access audit logging (remainder)

See #11873 for additional information.

#4

Updated by Electric Monk 7 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit b5c366f4aa9361f18dccd4d00380b3e2e36be40c

commit  b5c366f4aa9361f18dccd4d00380b3e2e36be40c
Author: Matt Barden <matt.barden@nexenta.com>
Date:   2019-10-25T14:36:03.000Z

    11037 SMB File access audit logging (reserve IDs)
    Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
    Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
    Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
    Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
    Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
    Reviewed by: John Levon <john.levon@joyent.com>

#5

Updated by Gordon Ross 7 months ago

I forgot to add the "Approved by: ..." line before I pushed.
Approved by: Garrett D'Amore <>
https://illumos.topicbox.com/groups/advocates/T048910cea52e09b6-Ma86bbc7f5142f176671edc06

Also available in: Atom PDF