From: Gary Lockyer Date: Tue, 3 Apr 2018 23:56:30 +0000 (+1200) Subject: logging: add ldb audit classes X-Git-Url: http://git.samba.org/?p=metze%2Fsamba%2Fwip.git;a=commitdiff_plain;h=2ba55f81a9514a9e8adc6904e58d166c98aecaa7 logging: add ldb audit classes Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett --- diff --git a/docs-xml/smbdotconf/logging/loglevel.xml b/docs-xml/smbdotconf/logging/loglevel.xml index fae5c7b079e7..ffd907508b67 100644 --- a/docs-xml/smbdotconf/logging/loglevel.xml +++ b/docs-xml/smbdotconf/logging/loglevel.xml @@ -46,6 +46,12 @@ auth_audit auth_json_audit kerberos + dsdb_audit + dsdb_json_audit + dsdb_password_audit + dsdb_password_json_audit + dsdb_transaction_audit + dsdb_transaction_json_audit Authentication and authorization audit information is logged @@ -58,7 +64,7 @@ as well as the implicit authentication in password changes. In the file server, NTLM authentication, SMB and RPC authorization is covered. - + Log levels for auth_audit and auth_audit_json are: 2: Authentication Failure @@ -66,9 +72,25 @@ 4: Authorization Success 5: Anonymous Authentication and Authorization Success - - + Changes to the sam.ldb database are logged + under the dsdb_audit, and if Samba was not compiled with + --without-json-audit, a JSON representation is logged under + dsdb_json_audit. + + Password changes and Password resets are logged under + dsdb_password_audit, and if Samba was not compiled with + --without-json-audit, a JSON representation is logged under the + dsdb_password_json_audit. + + Transaction rollbacks and prepare commit failures are logged under + the dsdb_transaction_audit, and if Samba was not compiled with + --without-json-audit, a JSON representation is logged under the + password_json_audit. Logging the transaction details allows the + identification of password and sam.ldb operations that have been rolled + back. + + 0 3 passdb:5 auth:10 winbind:2 diff --git a/lib/util/debug.c b/lib/util/debug.c index d010b724203a..d7b641e4384b 100644 --- a/lib/util/debug.c +++ b/lib/util/debug.c @@ -543,6 +543,12 @@ static const char *default_classname_table[] = { [DBGC_DRS_REPL] = "drs_repl", [DBGC_SMB2] = "smb2", [DBGC_SMB2_CREDITS] = "smb2_credits", + [DBGC_DSDB_AUDIT] = "dsdb_audit", + [DBGC_DSDB_AUDIT_JSON] = "dsdb_json_audit", + [DBGC_DSDB_PWD_AUDIT] = "dsdb_password_audit", + [DBGC_DSDB_PWD_AUDIT_JSON] = "dsdb_password_json_audit", + [DBGC_DSDB_TXN_AUDIT] = "dsdb_transaction_audit", + [DBGC_DSDB_TXN_AUDIT_JSON] = "dsdb_transaction_json_audit", }; /* diff --git a/lib/util/debug.h b/lib/util/debug.h index 1e184b47de92..8d285cd7b0f0 100644 --- a/lib/util/debug.h +++ b/lib/util/debug.h @@ -95,6 +95,12 @@ bool dbghdr( int level, const char *location, const char *func); #define DBGC_DRS_REPL 27 #define DBGC_SMB2 28 #define DBGC_SMB2_CREDITS 29 +#define DBGC_DSDB_AUDIT 30 +#define DBGC_DSDB_AUDIT_JSON 31 +#define DBGC_DSDB_PWD_AUDIT 32 +#define DBGC_DSDB_PWD_AUDIT_JSON 33 +#define DBGC_DSDB_TXN_AUDIT 34 +#define DBGC_DSDB_TXN_AUDIT_JSON 35 /* So you can define DBGC_CLASS before including debug.h */ #ifndef DBGC_CLASS