1VFS_FULL_AUDIT(8)         System Administration tools        VFS_FULL_AUDIT(8)
2
3
4

NAME

6       vfs_full_audit - record Samba VFS operations in the system log
7

SYNOPSIS

9       vfs objects = full_audit
10

DESCRIPTION

12       This VFS module is part of the samba(7) suite.
13
14       The vfs_full_audit VFS module records selected client operations to the
15       system log using syslog(3).
16
17       vfs_full_audit is able to record the complete set of Samba VFS
18       operations:
19           chdir
20           chflags
21           chmod
22           chown
23           close
24           closedir
25           connect
26           copy_chunk_send
27           copy_chunk_recv
28           disconnect
29           disk_free
30           fchmod
31           fchown
32           fget_nt_acl
33           fgetxattr
34           flistxattr
35           fremovexattr
36           fset_nt_acl
37           fsetxattr
38           fstat
39           fsync
40           ftruncate
41           get_compression
42           get_nt_acl
43           get_quota
44           get_shadow_copy_data
45           getlock
46           getwd
47           getxattr
48           kernel_flock
49           link
50           linux_setlease
51           listxattr
52           lock
53           lseek
54           lstat
55           mkdir
56           mknod
57           open
58           opendir
59           pread
60           pwrite
61           read
62           readdir
63           readlink
64           realpath
65           removexattr
66           rename
67           rewinddir
68           rmdir
69           seekdir
70           sendfile
71           set_compression
72           set_nt_acl
73           set_quota
74           setxattr
75           snap_check_path
76           snap_create
77           snap_delete
78           stat
79           statvfs
80           symlink
81           sys_acl_delete_def_file
82           sys_acl_get_fd
83           sys_acl_get_file
84           sys_acl_set_fd
85           sys_acl_set_file
86           telldir
87           unlink
88           utime
89           write
90
91       In addition to these operations, vfs_full_audit recognizes the special
92       operation names "all" and "none ", which refer to all the VFS
93       operations and none of the VFS operations respectively.
94
95       vfs_full_audit records operations in fixed format consisting of fields
96       separated by '|' characters. The format is:
97
98                     smbd_audit: PREFIX|OPERATION|RESULT|FILE
99
100
101       The record fields are:
102
103              ·   PREFIX - the result of the full_audit:prefix string after
104                  variable substitutions
105
106              ·   OPERATION - the name of the VFS operation
107
108              ·   RESULT - whether the operation succeeded or failed
109
110              ·   FILE - the name of the file or directory the operation was
111                  performed on
112
113
114       This module is stackable.
115

OPTIONS

117       full_audit:prefix = STRING
118           Prepend audit messages with STRING. STRING is processed for
119           standard substitution variables listed in smb.conf(5). The default
120           prefix is "%u|%I".
121
122       full_audit:success = LIST
123           LIST is a list of VFS operations that should be recorded if they
124           succeed. Operations are specified using the names listed above.
125           Operations can be unset by prefixing the names with "!". The
126           default is none operations.
127
128       full_audit:failure = LIST
129           LIST is a list of VFS operations that should be recorded if they
130           failed. Operations are specified using the names listed above.
131           Operations can be unset by prefixing the names with "!". The
132           default is none operations.
133
134       full_audit:facility = FACILITY
135           Log messages to the named syslog(3) facility.
136
137       full_audit:priority = PRIORITY
138           Log messages with the named syslog(3) priority.
139
140       full_audit:syslog = true/false
141           Log messages to syslog (default) or as a debug level 1 message.
142
143       full_audit:log_secdesc = true/false
144           Log an sddl form of the security descriptor coming in when a client
145           sets an acl. Defaults to false.
146

EXAMPLES

148       Log file and directory open operations on the [records] share using the
149       LOCAL7 facility and ALERT priority, including the username and IP
150       address. Logging excludes the open VFS function on failures:
151
152                   [records]
153                path = /data/records
154                vfs objects = full_audit
155                full_audit:prefix = %u|%I
156                full_audit:success = open opendir
157                full_audit:failure = all !open
158                full_audit:facility = LOCAL7
159                full_audit:priority = ALERT
160

VERSION

162       This man page is part of version 4.9.8 of the Samba suite.
163

AUTHOR

165       The original Samba software and related utilities were created by
166       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
167       Source project similar to the way the Linux kernel is developed.
168
169
170
171Samba 4.9.8                       05/14/2019                 VFS_FULL_AUDIT(8)
Impressum