From 782aee6803bba38b6461aa7f84bfc97828a4f222 Mon Sep 17 00:00:00 2001
From: Benjamin Bohard <bbohard@cadoles.com>
Date: Tue, 17 Jun 2025 09:43:30 +0200
Subject: [PATCH] =?UTF-8?q?Adaptations=20pour=20l=E2=80=99envoi=20des=20lo?=
 =?UTF-8?q?gs=20samba?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 00-addc-forward_samba_logs   | 32 +++++++++++++++++++++++++++
 60_forward_samba_logs.xml    | 42 ++++++++++++++++++++++++++++++++++++
 addc-samba_logs_forward.conf | 19 ++++++++++++++++
 smb-addc.conf.patch          | 11 ++++++++++
 4 files changed, 104 insertions(+)
 create mode 100644 00-addc-forward_samba_logs
 create mode 100644 60_forward_samba_logs.xml
 create mode 100644 addc-samba_logs_forward.conf
 create mode 100644 smb-addc.conf.patch

diff --git a/00-addc-forward_samba_logs b/00-addc-forward_samba_logs
new file mode 100644
index 0000000..a758c27
--- /dev/null
+++ b/00-addc-forward_samba_logs
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+ADDC_PATH="/var/lib/lxc/addc/rootfs"
+
+. /usr/lib/eole/utils.sh
+
+InstallSSLFiles rsyslog_addc syslog syslog "$ADDC_PATH/etc/rsyslog.d/ssl/"
+if [ $(CreoleGet samba_log_connexion_authentification_proxy non) == 'oui' ]
+then
+    ca_path=$(CreoleGet samba_log_connexion_ca_chemin)
+    if [ -f $ca_path ]
+    then
+        cat /etc/ssl/certs/ca_local.crt $ca_path > "$ADDC_PATH/etc/ssl/certs/ca_rsyslog.crt"
+    else
+        EchoRouge "Le certificat racine pour le pair rsyslog n’a pas été trouvé"
+        EchoRouge "Utilisation du mode anonyme"
+        cp /etc/ssl/certs/ca_local.crt "$ADDC_PATH/etc/ssl/certs/ca_rsyslog.crt"
+    fi
+else
+    cp /etc/ssl/certs/ca_local.crt "ADDC_PATH/etc/ssl/certs/ca_rsyslog.crt"
+fi
+
+if [ ! -e "$ADDC_PATH/var/log/rsyslog/queues" ]
+then
+    mkdir -p "$ADDC_PATH/var/log/rsyslog/queues"
+    lxc-attach -n addc chown syslog:adm /var/log/rsyslog/queues
+fi
+
+lxc-attach -n addc apt install rsyslog-gnutls
+
+lxc-attach -n addc systemctl restart rsyslog
+exit 0
diff --git a/60_forward_samba_logs.xml b/60_forward_samba_logs.xml
new file mode 100644
index 0000000..79ad35e
--- /dev/null
+++ b/60_forward_samba_logs.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="utf-8"?>
+<creole>
+    <files>
+        <file filelist='forward_samba_logs' name='/var/lib/lxc/addc/rootfs/etc/rsyslog.d/01-forward_samba.conf' source='addc-samba_logs_forward.conf' mkdir='True' rm='True'/>
+    </files>
+    <variables>
+        <family name='Samba'>
+            <variable name='activer_envoi_log_connexion' type='oui/non' description='Activer l’envoi des logs de connexion au proxy'>
+                <value>oui</value>
+            </variable>
+            <variable name="samba_log_connexion_proxy_ip" type='ip' description='Adresse IP du proxy traitant les logs' mandatory="True"/>
+            <variable name="samba_log_connexion_proxy_port" type='number' description='Port du proxy traitant les logs'>
+                <value>10514</value>
+            </variable>
+            <variable name="samba_log_connexion_authentification_proxy" type="oui/non" description="Authentifier le récepteur des logs">
+                <value>non</value>
+            </variable>
+            <variable name="samba_log_connexion_ca_chemin" type="filename" description="Chemin du certificat racine du proxy" mandatory="True"/>
+            <variable name="samba_log_connexion_proxy_nom" type="domain" description="Nom de domaine du proxy" mandatory="True"/>
+        </family>
+    </variables>
+    <constraints>
+        <condition name='disabled_if_in' source='activer_envoi_log_connexion'>
+            <param>non</param>
+            <target type='filelist'>forward_samba_logs</target>
+            <target type='variable'>samba_log_connexion_proxy_ip</target>
+            <target type='variable'>samba_log_connexion_proxy_port</target>
+            <target type='variable'>samba_log_connexion_authentification_proxy</target>
+        </condition>
+        <condition name='disabled_if_in' source='samba_log_connexion_authentification_proxy'>
+            <param>non</param>
+            <target type='variable'>samba_log_connexion_ca_chemin</target>
+            <target type='variable'>samba_log_connexion_proxy_nom</target>
+        </condition>
+    </constraints>
+    <help>
+        <variable name='activer_envoi_log_connexion'>Les logs de connexions sont utiles au proxy type Palo Alto pour en dériver les autorisations de flux réseau (relation IP/utilisateur pour déterminer les permissions).</variable>
+        <variable name="samba_log_connexion_authentification_proxy">L’authentification du récepeteur des logs nécessite la récupération du certificat racine de celui-ci pour pouvoir valider son certificat x509</variable>
+        <variable name="samba_log_connexion_ca_chemin">Le certificat racine ayant servi à signer le certificat présenté par le proxy.</variable>
+        <variable name="samba_log_connexion_proxy_nom">Nom FQDN apparaissant dans le certificat x509 présenté par le proxy.</variable>
+    </help>
+</creole>
diff --git a/addc-samba_logs_forward.conf b/addc-samba_logs_forward.conf
new file mode 100644
index 0000000..593fe73
--- /dev/null
+++ b/addc-samba_logs_forward.conf
@@ -0,0 +1,19 @@
+$DefaultNetstreamDriver gtls
+$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca_rsyslog.crt
+$DefaultNetstreamDriverCertFile  /etc/rsyslog.d/ssl/certs/rsyslog_addc.crt
+$DefaultNetstreamDriverKeyFile  /etc/rsyslog.d/ssl/private/rsyslog_addc.key
+        
+
+$WorkDirectory /var/log/rsyslog/queues
+$ActionQueueType LinkedList
+$ActionQueueFileName samba
+$ActionQueueSaveOnShutdown on
+                
+%if %%samba_log_connexion_authentification_proxy == 'oui'
+$ActionSendStreamDriverAuthMode x509/name
+$ActionSendStreamDriverPermittedPeer %%samba_log_connexion_proxy_name
+%else
+$ActionSendStreamDriverAuthMode anon
+%end if
+$ActionSendStreamDriverMode 1
+:programname, isequal, "samba" @@%%samba_log_connexion_proxy_ip:%%samba_log_connexion_proxy_port
diff --git a/smb-addc.conf.patch b/smb-addc.conf.patch
new file mode 100644
index 0000000..47019aa
--- /dev/null
+++ b/smb-addc.conf.patch
@@ -0,0 +1,11 @@
+ --- distrib/smb-addc.conf       2025-02-18 09:29:25.000000000 +0100
++++ modif/smb-addc.conf 2025-06-16 10:31:57.625340810 +0200
+@@ -21,6 +21,8 @@
+   usershare max shares = 0
+   restrict anonymous = 2
+   interfaces = %%ad_public_address
++  syslog = 4
++  log level = 0 auth_audit:4
+ 
+ [netlogon]
+   comment = Network Logon Service