Public bug reported: We have Samba file sharing set up to log a number of operations using the VFS full audit capability. This is in hopes of stopping ransomware. See for example https://github.com/roblio/ransom2ban.
The configuration in smb.conf contains this: # Anti-ransomware full audit to /var/log/ransom2ban/samba_audit.log full_audit:failure = none full_audit:success = pwrite pwrite_send pwrite_recv write rename unlink mkdir full_audit:prefix = IP=%I|USER=%u|SHARE=%S full_audit:facility = local5 full_audit:priority = debug vfs objects = full_audit Before the update to 4.13.14+dfsg-0ubuntu0.20.04.1, this worked fine. With the update, the logging has gone through the roof, and appears to be logging *all* operations, independent of the settings. For instance, it logs "listxattr" despite it being not listed. I also tried adding "!listxattr" to the "success" list, but no change. Note that our CentOS machine just got 4.13 as well, and does not have this problem. Maybe this is a testing parameter that was accidentally left in the build?? ---------------- # lsb_release -rd Description: Ubuntu 20.04.3 LTS Release: 20.04 # dpkg-query -W samba\* samba 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba-common 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba-common-bin 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba-dsdb-modules:amd64 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba-libs:amd64 2:4.13.14+dfsg-0ubuntu0.20.04.1 samba-testsuite samba-vfs-modules:amd64 2:4.13.14+dfsg-0ubuntu0.20.04.1 ** Affects: samba (Ubuntu) Importance: Undecided Status: New ** Tags: audit vfs -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950803 Title: Samba vfs_full_audit reports everything To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1950803/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs