1VFS_FULL_AUDIT(8) System Administration tools VFS_FULL_AUDIT(8)
2
6 vfs_full_audit - record Samba VFS operations in the system log
7
9 vfs objects = full_audit
10
12 This VFS module is part of the samba(7) suite.
13 The vfs_full_audit VFS module records selected client operations to the
15 system log using syslog(3).
16 vfs_full_audit is able to record the complete set of Samba VFS
18 operations:
19 chdir
20 chflags
21 chmod
22 chmod_acl
23 chown
24 close
25 closedir
26 connect
27 copy_chunk_send
28 copy_chunk_recv
29 disconnect
30 disk_free
31 fchmod
32 fchmod_acl
33 fchown
34 fget_nt_acl
35 fgetxattr
36 flistxattr
37 fremovexattr
38 fset_nt_acl
39 fsetxattr
40 fstat
41 fsync
42 ftruncate
43 get_compression
44 get_nt_acl
45 get_quota
46 get_shadow_copy_data
47 getlock
48 getwd
49 getxattr
50 kernel_flock
51 link
52 linux_setlease
53 listxattr
54 lock
55 lseek
56 lstat
57 mkdir
58 mknod
59 open
60 opendir
61 pread
62 pwrite
63 read
64 readdir
65 readlink
66 realpath
67 removexattr
68 rename
69 rewinddir
70 rmdir
71 seekdir
72 sendfile
73 set_compression
74 set_nt_acl
75 set_quota
76 setxattr
77 stat
78 statvfs
79 symlink
80 sys_acl_delete_def_file
81 sys_acl_get_fd
82 sys_acl_get_file
83 sys_acl_set_fd
84 sys_acl_set_file
85 telldir
86 unlink
87 utime
88 write
89 In addition to these operations, vfs_full_audit recognizes the special
91 operation names "all" and "none ", which refer to all the VFS
92 operations and none of the VFS operations respectively.
93 vfs_full_audit records operations in fixed format consisting of fields
95 separated by ´|´ characters. The format is:
96 smbd_audit: PREFIX|OPERATION|RESULT|FILE
98 The record fields are:
101 · PREFIX - the result of the full_audit:prefix string after variable
103 substitutions
104 · OPERATION - the name of the VFS operation
106 · RESULT - whether the operation succeeded or failed
108 · FILE - the name of the file or directory the operation was
110 performed on
111 This module is stackable.
114
116 full_audit:prefix = STRING
117 Prepend audit messages with STRING. STRING is processed for
118 standard substitution variables listed in smb.conf(5). The default
119 prefix is "%u|%I".
120 full_audit:success = LIST
122 LIST is a list of VFS operations that should be recorded if they
123 succeed. Operations are specified using the names listed above.
124 Operations can be unset by prefixing the names with "!". The
125 default is all operations.
126 full_audit:failure = LIST
128 LIST is a list of VFS operations that should be recorded if they
129 failed. Operations are specified using the names listed above.
130 Operations can be unset by prefixing the names with "!". The
131 default is all operations.
132 full_audit:facility = FACILITY
134 Log messages to the named syslog(3) facility.
135 full_audit:priority = PRIORITY
137 Log messages with the named syslog(3) priority.
138 full_audit:syslog = true/false
140 Log messages to syslog (default) or as a debug level 1 message.
141 full_audit:log_secdesc = true/false
143 Log an sddl form of the security descriptor coming in when a client
144 sets an acl. Defaults to false.
145
147 Log file and directory open operations on the [records] share using the
148 LOCAL7 facility and ALERT priority, including the username and IP
149 address. Logging excludes the open VFS function on failures:
150 [records]
152 path = /data/records
153 vfs objects = full_audit
154 full_audit:prefix = %u|%I
155 full_audit:success = open opendir
156 full_audit:failure = all !open
157 full_audit:facility = LOCAL7
158 full_audit:priority = ALERT
159
161 This man page is correct for version 3.0.25 of the Samba suite.
162
164 The original Samba software and related utilities were created by
165 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
166 Source project similar to the way the Linux kernel is developed.
167Samba 4.2 06/19/2018 VFS_FULL_AUDIT(8)