1VFS_FULL_AUDIT(8)         System Administration tools        VFS_FULL_AUDIT(8)
2
3
4

NAME

6       vfs_full_audit - record Samba VFS operations in the system log
7

SYNOPSIS

9       vfs objects = full_audit
10

DESCRIPTION

12       This VFS module is part of the samba(7) suite.
13
14       The vfs_full_audit VFS module records selected client operations to the
15       system log using syslog(3).
16
17       vfs_full_audit is able to record the complete set of Samba VFS
18       operations:
19           aio_cancel
20           aio_error
21           aio_fsync
22           aio_read
23           aio_return
24           aio_suspend
25           aio_write
26           chdir
27           chflags
28           chmod
29           chmod_acl
30           chown
31           close
32           closedir
33           connect
34           disconnect
35           disk_free
36           fchmod
37           fchmod_acl
38           fchown
39           fget_nt_acl
40           fgetxattr
41           flistxattr
42           fremovexattr
43           fset_nt_acl
44           fsetxattr
45           fstat
46           fsync
47           ftruncate
48           get_nt_acl
49           get_quota
50           get_shadow_copy_data
51           getlock
52           getwd
53           getxattr
54           kernel_flock
55           lgetxattr
56           link
57           linux_setlease
58           listxattr
59           llistxattr
60           lock
61           lremovexattr
62           lseek
63           lsetxattr
64           lstat
65           mkdir
66           mknod
67           open
68           opendir
69           pread
70           pwrite
71           read
72           readdir
73           readlink
74           realpath
75           removexattr
76           rename
77           rewinddir
78           rmdir
79           seekdir
80           sendfile
81           set_nt_acl
82           set_quota
83           setxattr
84           stat
85           statvfs
86           symlink
87           sys_acl_add_perm
88           sys_acl_clear_perms
89           sys_acl_create_entry
90           sys_acl_delete_def_file
91           sys_acl_free_acl
92           sys_acl_free_qualifier
93           sys_acl_free_text
94           sys_acl_get_entry
95           sys_acl_get_fd
96           sys_acl_get_file
97           sys_acl_get_perm
98           sys_acl_get_permset
99           sys_acl_get_qualifier
100           sys_acl_get_tag_type
101           sys_acl_init
102           sys_acl_set_fd
103           sys_acl_set_file
104           sys_acl_set_permset
105           sys_acl_set_qualifier
106           sys_acl_set_tag_type
107           sys_acl_to_text
108           sys_acl_valid
109           telldir
110           unlink
111           utime
112           write
113
114       In addition to these operations, vfs_full_audit recognizes the special
115       operation names "all" and "none ", which refer to all the VFS
116       operations and none of the VFS operations respectively.
117
118       vfs_full_audit records operations in fixed format consisting of fields
119       separated by '|' characters. The format is:
120
121                     smbd_audit: PREFIX|OPERATION|RESULT|FILE
122
123
124       The record fields are:
125
126       ·   PREFIX - the result of the full_audit:prefix string after variable
127           substitutions
128
129       ·   OPERATION - the name of the VFS operation
130
131       ·   RESULT - whether the operation succeeded or failed
132
133       ·   FILE - the name of the file or directory the operation was
134           performed on
135
136
137       This module is stackable.
138

OPTIONS

140       vfs_full_audit:prefix = STRING
141           Prepend audit messages with STRING. STRING is processed for
142           standard substitution variables listed in smb.conf(5). The default
143           prefix is "%u|%I".
144
145       vfs_full_audit:success = LIST
146           LIST is a list of VFS operations that should be recorded if they
147           succeed. Operations are specified using the names listed above.
148           Operations can be unset by prefixing the names with "!".
149
150       vfs_full_audit:failure = LIST
151           LIST is a list of VFS operations that should be recorded if they
152           failed. Operations are specified using the names listed above.
153           Operations can be unset by prefixing the names with "!".
154
155       full_audit:facility = FACILITY
156           Log messages to the named syslog(3) facility.
157
158       full_audit:priority = PRIORITY
159           Log messages with the named syslog(3) priority.
160

EXAMPLES

162       Log file and directory open operations on the [records] share using the
163       LOCAL7 facility and ALERT priority, including the username and IP
164       address. Logging excludes the open VFS function on failures:
165
166                   [records]
167                path = /data/records
168                vfs objects = full_audit
169                full_audit:prefix = %u|%I
170                full_audit:success = open opendir
171                full_audit:failure = all !open
172                full_audit:facility = LOCAL7
173                full_audit:priority = ALERT
174

VERSION

176       This man page is correct for version 3.0.25 of the Samba suite.
177

AUTHOR

179       The original Samba software and related utilities were created by
180       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
181       Source project similar to the way the Linux kernel is developed.
182
183
184
185Samba 3.6                         04/11/2016                 VFS_FULL_AUDIT(8)
Impressum