SMB File access audit logging (reserve IDs)
Customers want to be able to audit file access over SMB.
Access log entries should contain information including:
Who (User ID and/or SID, and client IP when remote),
When, Where (directory+file), What (action: READ/WRITE, ...)
Control over audit logging should (ideally) use the "System
Access Control List" (SACL), which is the part of the ACL that
contains "Audit" Access Control Entries (ACEs). An Audit ACE
has flags that allow for auditing only failed access (logging all
attempts to access something where the specified access was
not allowed) or successful access (logging every instance where
someone opened a file with the specified access) or both.
Enabling auditing does have some cost, so we'll probably want
some or all of the following audit controls:
a: system-wide enable, that causes the C2 audit daemon to run.
b: per-share or per data set (TBD) audit enable flag
(It may be that the presence of a SACL in any data set is a
sufficient configuration control for "b". This is also how
Windows handles auditing: global enable, then SACLs).
Steps to Reproduce:
a: Enable auditing at the system level. (interface TBD)
b: Set a SACL on all directories and files in some hierarchy,
where some SACLs have an "Audit Success" ACE with
access mask "read+write".
c: Set a SACL on all directories nad files in some other
hierarchy where some SACLs have an "Audit Failure" ACE
with access mask "read".
d: Read and modify the files created in "b".
e: Attempt to read the files creded in "c".
Step "d" should produce logged successful access,
including Who, What, When, etc.
Step "e" should produce logged failed access,
including Who, What, When, etc.
No access logs.
Updated by Gordon Ross almost 3 years ago
- Description updated (diff)
- Status changed from New to In Progress
Questions have come up about how to configure SMB auditing.
The best answer for "How can customers select what is subject to audit?" is to edit the security properties from a windows client. To do that (as usual) they should right click on a directory in Windows Explorer, select the security tab, then add an "audit success" or "audit failure" ACE to the "system ACL". Typically that ACE should be inherited (shown as "applies to: this folder, sub-folders, and files").
Note that one must be authenticated as a user with administrative privileges to examine or modify the system ACL.
(The "system ACL" is a protected part of the ACL.)
Here's a link to an MS doc describing the above:
The good news about this approach is that the only configuration item we need to handle on the server side is the system-wide "enable auditing" control.
Updated by Gordon Ross over 2 years ago
Updated by Electric Monk over 2 years ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit b5c366f4aa9361f18dccd4d00380b3e2e36be40c Author: Matt Barden <firstname.lastname@example.org> Date: 2019-10-25T14:36:03.000Z 11037 SMB File access audit logging (reserve IDs) Reviewed by: Gordon Ross <email@example.com> Reviewed by: Roman Strashkin <firstname.lastname@example.org> Reviewed by: Saso Kiselkov <email@example.com> Reviewed by: Rick McNeal <firstname.lastname@example.org> Reviewed by: Yuri Pankov <email@example.com> Reviewed by: John Levon <firstname.lastname@example.org>