1VFS_FULL_AUDIT(8) System Administration tools VFS_FULL_AUDIT(8)
2
6 vfs_full_audit - record Samba VFS operations in the system log
7
9 vfs objects = full_audit
10
12 This VFS module is part of the samba(7) suite.
13 The vfs_full_audit VFS module records selected client operations to the
15 system log using syslog(3).
16 vfs_full_audit is able to record the complete set of Samba VFS
18 operations:
19 chdir
20 chflags
21 chmod
22 chmod_acl
23 chown
24 close
25 closedir
26 connect
27 copy_chunk_send
28 copy_chunk_recv
29 disconnect
30 disk_free
31 fchmod
32 fchmod_acl
33 fchown
34 fget_nt_acl
35 fgetxattr
36 flistxattr
37 fremovexattr
38 fset_nt_acl
39 fsetxattr
40 fstat
41 fsync
42 ftruncate
43 get_compression
44 get_nt_acl
45 get_quota
46 get_shadow_copy_data
47 getlock
48 getwd
49 getxattr
50 kernel_flock
51 link
52 linux_setlease
53 listxattr
54 lock
55 lseek
56 lstat
57 mkdir
58 mknod
59 open
60 opendir
61 pread
62 pwrite
63 read
64 readdir
65 readlink
66 realpath
67 removexattr
68 rename
69 rewinddir
70 rmdir
71 seekdir
72 sendfile
73 set_compression
74 set_nt_acl
75 set_quota
76 setxattr
77 snap_check_path
78 snap_create
79 snap_delete
80 stat
81 statvfs
82 symlink
83 sys_acl_delete_def_file
84 sys_acl_get_fd
85 sys_acl_get_file
86 sys_acl_set_fd
87 sys_acl_set_file
88 telldir
89 unlink
90 utime
91 write
92 In addition to these operations, vfs_full_audit recognizes the special
94 operation names "all" and "none ", which refer to all the VFS
95 operations and none of the VFS operations respectively.
96 vfs_full_audit records operations in fixed format consisting of fields
98 separated by '|' characters. The format is:
99 smbd_audit: PREFIX|OPERATION|RESULT|FILE
101 The record fields are:
104 · PREFIX - the result of the full_audit:prefix string after
106 variable substitutions
107 · OPERATION - the name of the VFS operation
109 · RESULT - whether the operation succeeded or failed
111 · FILE - the name of the file or directory the operation was
113 performed on
114 This module is stackable.
117
119 full_audit:prefix = STRING
120 Prepend audit messages with STRING. STRING is processed for
121 standard substitution variables listed in smb.conf(5). The default
122 prefix is "%u|%I".
123 full_audit:success = LIST
125 LIST is a list of VFS operations that should be recorded if they
126 succeed. Operations are specified using the names listed above.
127 Operations can be unset by prefixing the names with "!". The
128 default is all operations.
129 full_audit:failure = LIST
131 LIST is a list of VFS operations that should be recorded if they
132 failed. Operations are specified using the names listed above.
133 Operations can be unset by prefixing the names with "!". The
134 default is all operations.
135 full_audit:facility = FACILITY
137 Log messages to the named syslog(3) facility.
138 full_audit:priority = PRIORITY
140 Log messages with the named syslog(3) priority.
141 full_audit:syslog = true/false
143 Log messages to syslog (default) or as a debug level 1 message.
144 full_audit:log_secdesc = true/false
146 Log an sddl form of the security descriptor coming in when a client
147 sets an acl. Defaults to false.
148
150 Log file and directory open operations on the [records] share using the
151 LOCAL7 facility and ALERT priority, including the username and IP
152 address. Logging excludes the open VFS function on failures:
153 [records]
155 path = /data/records
156 vfs objects = full_audit
157 full_audit:prefix = %u|%I
158 full_audit:success = open opendir
159 full_audit:failure = all !open
160 full_audit:facility = LOCAL7
161 full_audit:priority = ALERT
162
164 This man page is part of version 4.8.3 of the Samba suite.
165
167 The original Samba software and related utilities were created by
168 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
169 Source project similar to the way the Linux kernel is developed.
170Samba 4.8.3 10/30/2018 VFS_FULL_AUDIT(8)