Audit any file activity on datasets

[Hellrazorx]

Hi, I worked in a test environments with SMB audit to get all SMB operations on Gray Log (on a separate server.)

What I noticed when I wanted to apply in production is that the Auxiliary parameters are interfering with ACL..

When this set is applied:
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = unlinkat renameat linkat pwrite mkdirat create_file
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE

No other user than the
user who controls the data set &
the group which controls the dataset can modify files.

The full (right) permission panel seems ignored.
___

Besides, I got an answer from Kris Moore ( from discord channel ) stating:
In general this is why recommend not setting Aux params. They do tend to have subtle breakages and aren't tested by us internally very much if at all. Your milage may vary here.

So how do I log/ audit / monitor file activity on my datasets if SMB audit is not the recommended way, which way is the good one??

THanks for ANY input at this point.

 

[Patrick M. Hausen]

Compare the output of testparm -s of a working configuration with one with your auxiliary parameters enabled. Probably there will be something missing in the latter configuration, because TrueNAS seems to drop certain "automatic" parameters if auxiliary ones are present.

Add whatever is missing as auxiliary, too.

 

[Hellrazorx]

Thank you Patrick, is this

Compare the output of testparm -s of a working configuration with one with your auxiliary parameters enabled. Probably there will be something missing in the latter configuration, because TrueNAS seems to drop certain "automatic" parameters if auxiliary ones are present.

Add whatever is missing as auxiliary, too.

Thank you Patrick, is this
what you mean?

It seems both are very similar.

 

[Patrick M. Hausen]

That's what I meant. I'm surprised by the result - sorry, no more ideas. Possibly take it to the Samba folks?

 

[Hellrazorx]

That's what I meant. I'm surprised by the result - sorry, no more ideas. Possibly take it to the Samba folks?

Thanks for the follow up, very appreciated.

I noticed the comparison was wrong and it came from a dataset that was not extensively set with permissions so it was probably not valid either.

I came up with this so far:
TN SCALE
vfs objects = full_audit recycle streams_xattr shadow_copy_zfs nfs4acl_xattr zfs_core io_uring
full_audit:prefix = %u|%I|%m|%S
full_audit:success = unlinkat renameat linkat pwrite mkdirat create_file
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE

TN CORE
vfs objects = full_audit recycle shadow_copy_zfs ixnas aio_fbsd
full_audit:prefix = %u|%I|%m|%S
full_audit:success = unlinkat renameat linkat pwrite mkdirat create_file
full_audit:failure = none
full_audit:facility = local7
full_audit:priority = NOTICE

Both Permissions and Logs seems to work so far with this.
File audits in truenas should really be checkboxes and be actually managed. I read a couple of posts of people abandoning the solution just because of this.

(As for asking Samba... I'd rather cut myself in the face)

I'll do some more testing and get back if something still needs to be fixed with my proposed solution.

@Patrick M. Hausen
Are you using smb audits with your customers?

Tbc