Deletion auditing is not available in TrueNAS Scale

Jack_Kirby · January 8, 2025, 12:49pm

I am trying to have a file deletion audit trail, however the best I can get is the audit showing a ‘Create’ event in the ‘.recycle’ directory whenever a deletion occurs. However this does not show me the name of the file that way deleted.

I have already tested turning off deletion permission and then having the audit trail show an ‘unlink’ event, however this adds the additional pain of not being able to rename folders, which I don’t want.

I have setup ZFS snapshots just in case anything is deleted, however, I would like the audit trail to specify which file was deleted and by what user.

Many thanks in advance and let me know if you need additional information.

awalkerix · January 8, 2025, 1:13pm

Okay. I’m looking at code. The way that you delete a file BTW over SMB protocol is by issuing an SMB CREATE with the “delete on close” flag set, then closing the file.

Actual file deletions in audit log will show as UNLINK. Are you not seeing an associated UNLINK event when deleting a file from the recycle bin?

awalkerix · January 8, 2025, 9:51pm

  {
    "audit_id": "9c371db4-b254-40c2-8824-32befc680540",
    "message_timestamp": 1736372814,
    "timestamp": {
      "$date": 1736372814000
    },
    "address": "127.0.0.1",
    "username": "smbsuer",
    "session": "ec398fab-c8e5-46fa-be7b-7cef5f8a824f",
    "service": "SMB",
    "service_data": {
      "vers": {
        "major": 0,
        "minor": 1
      },
      "service": "SHARE",
      "session_id": "4253966629",
      "tcon_id": "3018991275"
    },
    "event": "UNLINK",
    "event_data": {
      "file": {
        "type": "REGULAR",
        "path": ".recycle/smbsuer/canary.delme",
        "stream": null,
        "snap": null
      },
      "result": {
        "type": "UNIX",
        "value_raw": 0,
        "value_parsed": "SUCCESS"
      },
      "vers": {
        "major": 0,
        "minor": 1
      }
    },
    "success": true
  },

I’m not seeing your issue.

awalkerix · January 8, 2025, 9:54pm

root@testOVNB7UPJXS[~/middleware/src/middlewared]# midclt call audit.query '{"services": ["SMB"], "query-filters": [["event", "=", "UNLINK"]], "query-options": {"select": ["username", "event_data.file"]}}' | jq
[
  {
    "username": "smbsuer",
    "event_data": {
      "file": {
        "type": "REGULAR",
        "path": "canary.delme",
        "stream": null,
        "snap": null
      }
    }
  },
  {
    "username": "smbsuer",
    "event_data": {
      "file": {
        "type": "REGULAR",
        "path": ".recycle/smbsuer/canary.delme",
        "stream": null,
        "snap": null
      }
    }
  }
]

To make it clearer. I see the two deletion events. The first one is where it gets recycled, and the second one is the file getting purged from the recycle bin.