1VFS_FULL_AUDIT(8)         System Administration tools        VFS_FULL_AUDIT(8)
2
3
4

NAME

6       vfs_full_audit - record Samba VFS operations in the system log
7

SYNOPSIS

9       vfs objects = full_audit
10

DESCRIPTION

12       This VFS module is part of the samba(7) suite.
13
14       The vfs_full_audit VFS module records selected client operations to the
15       system log using syslog(3).
16
17       vfs_full_audit is able to record the complete set of Samba VFS
18       operations:
19           chdir
20           chflags
21           chmod
22           chmod_acl
23           chown
24           close
25           closedir
26           connect
27           copy_chunk_send
28           copy_chunk_recv
29           disconnect
30           disk_free
31           fchmod
32           fchmod_acl
33           fchown
34           fget_nt_acl
35           fgetxattr
36           flistxattr
37           fremovexattr
38           fset_nt_acl
39           fsetxattr
40           fstat
41           fsync
42           ftruncate
43           get_compression
44           get_nt_acl
45           get_quota
46           get_shadow_copy_data
47           getlock
48           getwd
49           getxattr
50           kernel_flock
51           link
52           linux_setlease
53           listxattr
54           lock
55           lseek
56           lstat
57           mkdir
58           mknod
59           open
60           opendir
61           pread
62           pwrite
63           read
64           readdir
65           readlink
66           realpath
67           removexattr
68           rename
69           rewinddir
70           rmdir
71           seekdir
72           sendfile
73           set_compression
74           set_nt_acl
75           set_quota
76           setxattr
77           stat
78           statvfs
79           symlink
80           sys_acl_delete_def_file
81           sys_acl_get_fd
82           sys_acl_get_file
83           sys_acl_set_fd
84           sys_acl_set_file
85           telldir
86           unlink
87           utime
88           write
89
90       In addition to these operations, vfs_full_audit recognizes the special
91       operation names "all" and "none ", which refer to all the VFS
92       operations and none of the VFS operations respectively.
93
94       vfs_full_audit records operations in fixed format consisting of fields
95       separated by ´|´ characters. The format is:
96
97                     smbd_audit: PREFIX|OPERATION|RESULT|FILE
98
99
100       The record fields are:
101
102       ·   PREFIX - the result of the full_audit:prefix string after variable
103           substitutions
104
105       ·   OPERATION - the name of the VFS operation
106
107       ·   RESULT - whether the operation succeeded or failed
108
109       ·   FILE - the name of the file or directory the operation was
110           performed on
111
112
113       This module is stackable.
114

OPTIONS

116       full_audit:prefix = STRING
117           Prepend audit messages with STRING. STRING is processed for
118           standard substitution variables listed in smb.conf(5). The default
119           prefix is "%u|%I".
120
121       full_audit:success = LIST
122           LIST is a list of VFS operations that should be recorded if they
123           succeed. Operations are specified using the names listed above.
124           Operations can be unset by prefixing the names with "!". The
125           default is all operations.
126
127       full_audit:failure = LIST
128           LIST is a list of VFS operations that should be recorded if they
129           failed. Operations are specified using the names listed above.
130           Operations can be unset by prefixing the names with "!". The
131           default is all operations.
132
133       full_audit:facility = FACILITY
134           Log messages to the named syslog(3) facility.
135
136       full_audit:priority = PRIORITY
137           Log messages with the named syslog(3) priority.
138
139       full_audit:syslog = true/false
140           Log messages to syslog (default) or as a debug level 1 message.
141
142       full_audit:log_secdesc = true/false
143           Log an sddl form of the security descriptor coming in when a client
144           sets an acl. Defaults to false.
145

EXAMPLES

147       Log file and directory open operations on the [records] share using the
148       LOCAL7 facility and ALERT priority, including the username and IP
149       address. Logging excludes the open VFS function on failures:
150
151                   [records]
152                path = /data/records
153                vfs objects = full_audit
154                full_audit:prefix = %u|%I
155                full_audit:success = open opendir
156                full_audit:failure = all !open
157                full_audit:facility = LOCAL7
158                full_audit:priority = ALERT
159

VERSION

161       This man page is correct for version 3.0.25 of the Samba suite.
162

AUTHOR

164       The original Samba software and related utilities were created by
165       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
166       Source project similar to the way the Linux kernel is developed.
167
168
169
170Samba 4.2                         06/19/2018                 VFS_FULL_AUDIT(8)
Impressum